subject:"security\-constraint"

security-constraint not working, help please...

2005-08-12 Thread Trey Ethridge

Hello all,

I'm ready to pull my hair out getting the security constraint to work.  
Basically, I need to forward all traffic except one directory to the https 
port.  I've got it to work if I use the url-pattern of "/*".  However, when I 
specify the patterns to accomplish the task, nothing matches and I can access 
any page through the http port.

Here is what I'm using: 

In web.xml:


Automatic SLL Forwarding
/Temp/*
/temp/*
/pictures/*
/resources/*
/admin/*
/web/*
/Operator/*
/operator/*
/soap/*
/webtools/*


  
CONFIDENTIAL
  



In server.xml:

  
  




  
  
  


  

  


Is there a way to specify everything except a directory using some kind of NOT 
operator?

Why won't what I'm using above forward me to the correct https port?

Thanks in advance.


___
Try Juno Platinum for Free! Then, only $9.95/month!
Unlimited Internet Access with 250MB of Email Storage.
Visit http://www.juno.com/value to sign up today!


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Security Constraint

2005-02-15 Thread Mark Thomas

Could be a server.xml problem. Can you post the connector parts of your 
server.xml?

Mark
Xeth Waxman wrote:
I have a new servlet which I've created - whenever you try to access
this servlet, I get the security certificate dialog box (do you want
to accept this certificate).  However, this application has no
security constraint in its web.xml file - I don't know why it's trying
to serve up a certificate.  In addition, you have to click 'yes' on
the security dialog three times, as if it's trying to serve the
certificate three times in a row.  And, in the end, it doesn't take
the user to a secur connection - it just takes them to the http:
connection I wanted to get to in the first place.  I'm using Tomcat
5.5 - here's a copy of my very simple web.xml - if anyone has any
ideas, I'd appreciate it.  I don't want to make this a secure site and
take on the added overhead just because I can't stop the stupid
certificate from popping up.

http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
  
ACHLogin
com.gcc.achpayments.ACHLogin
  
  
AddACHPayment
com.gcc.achpayments.AddACHPayment
  
  
ACHLogin
/ACHLogin
  
  
AddACHPayment
/AddACHPayment
  
  
30
  
  
  
login.jsp


index.jsp


index.html


index.htm

  


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Security Constraint

2005-02-15 Thread Xeth Waxman

I have a new servlet which I've created - whenever you try to access
this servlet, I get the security certificate dialog box (do you want
to accept this certificate).  However, this application has no
security constraint in its web.xml file - I don't know why it's trying
to serve up a certificate.  In addition, you have to click 'yes' on
the security dialog three times, as if it's trying to serve the
certificate three times in a row.  And, in the end, it doesn't take
the user to a secur connection - it just takes them to the http:
connection I wanted to get to in the first place.  I'm using Tomcat
5.5 - here's a copy of my very simple web.xml - if anyone has any
ideas, I'd appreciate it.  I don't want to make this a secure site and
take on the added overhead just because I can't stop the stupid
certificate from popping up.


http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
  
ACHLogin
com.gcc.achpayments.ACHLogin
  
  
AddACHPayment
com.gcc.achpayments.AddACHPayment
  

  
ACHLogin
/ACHLogin
  
  
AddACHPayment
/AddACHPayment
  

  
30
  

  
  
login.jsp


index.jsp


index.html


index.htm

  


-- 
Xeth Waxman
[EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: security-constraint to limit jsp access

2004-12-19 Thread Robert Taylor

Jay, 

There was just a fairly exhausive thread on this topic.
Here is the outcome:
http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgNo=163858

/robert

> -Original Message-
> From: Jay Wright [mailto:[EMAIL PROTECTED]
> Sent: Saturday, December 18, 2004 7:55 PM
> To: [EMAIL PROTECTED]
> Subject: security-constraint to limit jsp access
> 
> 
> 
> I have a struts 1.2.4 webapp in which I'm trying to hide my jsp's from being
> accessed directly.  Instead of throwing them in the WEB-INF folder, I'd
> rather just restrict access to them through the security-constraint in the
> web.xml.
> 
> I recently read that adding:
> 
>
> 
> JSPs
> /struts/*
> GET
> POST
> 
> 
> 
> to the web.xml file will restrict access to files in the directory from
> direct URL access, but not from redirection or jsp forwarding, so they can
> still be accessed through struts action mappings.
> 
> But this doesn't work.  It seems to be ignorning the constraint altogether,
> as if I am missing an additional configuration.  Is there something I need
> to add?  
> 
> I know my mapping is correct because if I throw:
> 
> 
> CONFIDENTIAL
> 
> 
> into the constraint, it does try to connect to the pages through a secure
> channel.  
> 
> I've scanned the web, now I'm on the mailing list: will this work and/or
> what is the best way to prevent direct access to the JSPs?  
> 
> Thanks,
> Jay
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint to limit jsp access

2004-12-19 Thread sven morales

   I am not sure if its already mentioned.  JSP
files stashed under WEB-INF/  are not accessable
directly.

--- Parsons Technical Services
<[EMAIL PROTECTED]> wrote:

> Jay,
> 
> I think you need the auth-constraint tags.
> 
> 
> 
>  
>  Example Security
> Constraint
>  
>  Protected
> Area
>  
>  
> 
> /security/protected/*
>  
>  DELETE
>  GET
>  POST
>  PUT
>   
>   
>  
>  role1
>   
> 
> 
> Then don't give anyone that role.
> 
> 
> Doug
> 
> - Original Message - 
> From: "Jay Wright" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, December 18, 2004 7:55 PM
> Subject: security-constraint to limit jsp access
> 
> 
> >
> > I have a struts 1.2.4 webapp in which I'm trying
> to hide my jsp's from 
> > being
> > accessed directly.  Instead of throwing them in
> the WEB-INF folder, I'd
> > rather just restrict access to them through the
> security-constraint in the
> > web.xml.
> >
> > I recently read that adding:
> >
> >   
> >
> >   
> JSPs
> >/struts/*
> >GET
> >POST
> >
> >
> >
> > to the web.xml file will restrict access to files
> in the directory from
> > direct URL access, but not from redirection or jsp
> forwarding, so they can
> > still be accessed through struts action mappings.
> >
> > But this doesn't work.  It seems to be ignorning
> the constraint 
> > altogether,
> > as if I am missing an additional configuration. 
> Is there something I need
> > to add?
> >
> > I know my mapping is correct because if I throw:
> >
> >
> >   
>
CONFIDENTIAL
> >
> >
> > into the constraint, it does try to connect to the
> pages through a secure
> > channel.
> >
> > I've scanned the web, now I'm on the mailing list:
> will this work and/or
> > what is the best way to prevent direct access to
> the JSPs?
> >
> > Thanks,
> > Jay
> >
> >
> >
> >
>
-
> > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
> > 
> 
> 
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 
> 




__ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint to limit jsp access

2004-12-19 Thread sven morales

   I am not sure if its already mentioned.  JSP
files stashed under WEB-INF/  are not accessable
directly.

--- Parsons Technical Services
<[EMAIL PROTECTED]> wrote:

> Jay,
> 
> I think you need the auth-constraint tags.
> 
> 
> 
>  
>  Example Security
> Constraint
>  
>  Protected
> Area
>  
>  
> 
> /security/protected/*
>  
>  DELETE
>  GET
>  POST
>  PUT
>   
>   
>  
>  role1
>   
> 
> 
> Then don't give anyone that role.
> 
> 
> Doug
> 
> - Original Message - 
> From: "Jay Wright" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, December 18, 2004 7:55 PM
> Subject: security-constraint to limit jsp access
> 
> 
> >
> > I have a struts 1.2.4 webapp in which I'm trying
> to hide my jsp's from 
> > being
> > accessed directly.  Instead of throwing them in
> the WEB-INF folder, I'd
> > rather just restrict access to them through the
> security-constraint in the
> > web.xml.
> >
> > I recently read that adding:
> >
> >   
> >
> >   
> JSPs
> >/struts/*
> >GET
> >POST
> >
> >
> >
> > to the web.xml file will restrict access to files
> in the directory from
> > direct URL access, but not from redirection or jsp
> forwarding, so they can
> > still be accessed through struts action mappings.
> >
> > But this doesn't work.  It seems to be ignorning
> the constraint 
> > altogether,
> > as if I am missing an additional configuration. 
> Is there something I need
> > to add?
> >
> > I know my mapping is correct because if I throw:
> >
> >
> >   
>
CONFIDENTIAL
> >
> >
> > into the constraint, it does try to connect to the
> pages through a secure
> > channel.
> >
> > I've scanned the web, now I'm on the mailing list:
> will this work and/or
> > what is the best way to prevent direct access to
> the JSPs?
> >
> > Thanks,
> > Jay
> >
> >
> >
> >
>
-
> > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
> > 
> 
> 
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 
> 




__ 
Do you Yahoo!? 
Dress up your holiday email, Hollywood style. Learn more. 
http://celebrity.mail.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint to limit jsp access

2004-12-18 Thread Parsons Technical Services

Jay,
I think you need the auth-constraint tags.

   

Example Security Constraint

Protected Area


/security/protected/*

DELETE
GET
POST
PUT
 
 

role1
 
   
Then don't give anyone that role.
Doug
- Original Message - 
From: "Jay Wright" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, December 18, 2004 7:55 PM
Subject: security-constraint to limit jsp access


I have a struts 1.2.4 webapp in which I'm trying to hide my jsp's from 
being
accessed directly.  Instead of throwing them in the WEB-INF folder, I'd
rather just restrict access to them through the security-constraint in the
web.xml.

I recently read that adding:
  
   
   JSPs
   /struts/*
   GET
   POST
   
   
to the web.xml file will restrict access to files in the directory from
direct URL access, but not from redirection or jsp forwarding, so they can
still be accessed through struts action mappings.
But this doesn't work.  It seems to be ignorning the constraint 
altogether,
as if I am missing an additional configuration.  Is there something I need
to add?

I know my mapping is correct because if I throw:
   
   CONFIDENTIAL
   
into the constraint, it does try to connect to the pages through a secure
channel.
I've scanned the web, now I'm on the mailing list: will this work and/or
what is the best way to prevent direct access to the JSPs?
Thanks,
Jay

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

security-constraint to limit jsp access

2004-12-18 Thread Jay Wright


I have a struts 1.2.4 webapp in which I'm trying to hide my jsp's from being
accessed directly.  Instead of throwing them in the WEB-INF folder, I'd
rather just restrict access to them through the security-constraint in the
web.xml.

I recently read that adding:

   

JSPs
/struts/*
GET
POST



to the web.xml file will restrict access to files in the directory from
direct URL access, but not from redirection or jsp forwarding, so they can
still be accessed through struts action mappings.

But this doesn't work.  It seems to be ignorning the constraint altogether,
as if I am missing an additional configuration.  Is there something I need
to add?  

I know my mapping is correct because if I throw:


CONFIDENTIAL


into the constraint, it does try to connect to the pages through a secure
channel.  

I've scanned the web, now I'm on the mailing list: will this work and/or
what is the best way to prevent direct access to the JSPs?  

Thanks,
Jay



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: problem with security-constraint with Tomcat 5

2004-10-18 Thread Bill Barker

You didn't look hard enough :)

An extension is defined as the part of the last segment after the last '.'
character.

- Original Message -
From: "Mercado . Maria" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Monday, October 18, 2004 7:45 AM
Subject: RE: problem with security-constraint with Tomcat 5

Thanks for the suggestion, Yoav.  I looked but I didn't see anything that
stated that a url pattern with 2 dots is illegal.

- Cecile Mercado

-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
Sent: Monday, October 18, 2004 9:12 AM
To: Tomcat Users List
Subject: RE: problem with security-constraint with Tomcat 5

Hi,
Could this be something that changed (or rather, was clarified) in the
Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4
(which Tomcat 5.x implements)? ;)

Yoav Shapira http://www.yoavshapira.com

>-Original Message-
>From: Mercado . Maria [mailto:[EMAIL PROTECTED]
>Sent: Monday, October 18, 2004 10:08 AM
>To: [EMAIL PROTECTED]
>Subject: problem with security-constraint with Tomcat 5
>
>I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat
5.0.28.
>We're also using Tiles and Struts 1.1.  The problem is that Tomcat 5
seems
>to be confused with a url pattern that works with Tomcat 4.  Here's the
>pertinent parts of web.xml (I get the same results with 2.3 or 2.4
version
>of web.xml):
>
>"...
>
>
>
>strutsnav
>org.apache.struts.action.ActionServletclass>
>
>config
>/WEB-INF/conf/struts-config.xml
>
>
>validate
>true
>
>1
>
>
>...
>
>
>strutsnav
>*.do
>
>
>...
>
>   
>
>
>Secure Struts
Actions
>*.sec.do
>
>
>General User
>
>
>
>
>FORM
>
>/login.do
>/logininvalid.do
>
>
>
>
>General User
>
>
>..."
>
>If I try to access a sec.do Struts action, I just get a blank space in
the
>body of the Tiles layout - I don't get the login form.  If I change the
>url-pattern in web-resource-collection to "*.do", then I get the login
>page.  It seems that Tomcat 5 doesn't like two dots in the url pattern.
Is
>this a bug?
>
>I also tried to add the following, but it didn't help:
>
>strutsnav
>*.sec.do
>
>
>
>Thanks,
>Cecile Mercado
>
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]

This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential, proprietary
and/or privileged.  This e-mail is intended only for the individual(s) to
whom it is addressed, and may not be saved, copied, printed, disclosed or
used by anyone else.  If you are not the(an) intended recipient, please
immediately delete this e-mail from your computer system and notify the
sender.  Thank you.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

This message is intended only for the use of the person(s) listed above as the 
intended recipient(s), and may contain information that is PRIVILEGED and 
CONFIDENTIAL.  If you are not an intended recipient, you may not read, copy, or 
distribute this message or any attachment. If you received this communication in 
error, please notify us immediately by e-mail and then delete all copies of this 
message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the 
Internet is not secure. Do not send confidential or sensitive information, such as 
social security numbers, account numbers, personal identification numbers and 
passwords, to us via ordinary (unencrypted) e-mail.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: problem with security-constraint with Tomcat 5

2004-10-18 Thread Remy Maucherat

On Mon, 18 Oct 2004 10:45:23 -0400, Mercado . Maria <[EMAIL PROTECTED]> wrote:
> Thanks for the suggestion, Yoav.  I looked but I didn't see anything that stated 
> that a url pattern with 2 dots is illegal.

Most systems I am aware of consider that the extension is the last
dot. Otherwise, it starts adding complexity.
Don't expect a fix (assuming this is indeed a valid issue, which I doubt).

-- 
x
Rémy Maucherat
Developer & Consultant
JBoss Group (Europe) SàRL
x

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: problem with security-constraint with Tomcat 5

2004-10-18 Thread Mercado . Maria

Thanks for the suggestion, Yoav.  I looked but I didn't see anything that stated that 
a url pattern with 2 dots is illegal.

- Cecile Mercado


-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
Sent: Monday, October 18, 2004 9:12 AM
To: Tomcat Users List
Subject: RE: problem with security-constraint with Tomcat 5



Hi,
Could this be something that changed (or rather, was clarified) in the
Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4
(which Tomcat 5.x implements)? ;)

Yoav Shapira http://www.yoavshapira.com
 

>-Original Message-
>From: Mercado . Maria [mailto:[EMAIL PROTECTED]
>Sent: Monday, October 18, 2004 10:08 AM
>To: [EMAIL PROTECTED]
>Subject: problem with security-constraint with Tomcat 5
>
>I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat
5.0.28.
>We're also using Tiles and Struts 1.1.  The problem is that Tomcat 5
seems
>to be confused with a url pattern that works with Tomcat 4.  Here's the
>pertinent parts of web.xml (I get the same results with 2.3 or 2.4
version
>of web.xml):
>
>"...
>
>
>
>strutsnav
>org.apache.struts.action.ActionServletclass>
>
>config
>/WEB-INF/conf/struts-config.xml
>
>
>validate
>true
>
>1
>
>
>...
>
>
>strutsnav
>*.do
>
>
>...
>
>   
>
>
>Secure Struts
Actions
>*.sec.do
>
>
>General User
>
>
>
>
>FORM
>
>/login.do
>/logininvalid.do
>
>
>
>
>General User
>
>
>..."
>
>If I try to access a sec.do Struts action, I just get a blank space in
the
>body of the Tiles layout - I don't get the login form.  If I change the
>url-pattern in web-resource-collection to "*.do", then I get the login
>page.  It seems that Tomcat 5 doesn't like two dots in the url pattern.
Is
>this a bug?
>
>I also tried to add the following, but it didn't help:
>
>strutsnav
>*.sec.do
>
>
>
>Thanks,
>Cecile Mercado
>
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business communication, and 
may contain information that is confidential, proprietary and/or privileged.  This 
e-mail is intended only for the individual(s) to whom it is addressed, and may not be 
saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) 
intended recipient, please immediately delete this e-mail from your computer system 
and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: problem with security-constraint with Tomcat 5

2004-10-18 Thread Shapira, Yoav


Hi,
Could this be something that changed (or rather, was clarified) in the
Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4
(which Tomcat 5.x implements)? ;)

Yoav Shapira http://www.yoavshapira.com


>-Original Message-
>From: Mercado . Maria [mailto:[EMAIL PROTECTED]
>Sent: Monday, October 18, 2004 10:08 AM
>To: [EMAIL PROTECTED]
>Subject: problem with security-constraint with Tomcat 5
>
>I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat
5.0.28.
>We're also using Tiles and Struts 1.1.  The problem is that Tomcat 5
seems
>to be confused with a url pattern that works with Tomcat 4.  Here's the
>pertinent parts of web.xml (I get the same results with 2.3 or 2.4
version
>of web.xml):
>
>"...
>
>
>
>strutsnav
>org.apache.struts.action.ActionServletclass>
>
>config
>/WEB-INF/conf/struts-config.xml
>
>
>validate
>true
>
>1
>
>
>...
>
>
>strutsnav
>*.do
>
>
>...
>
>   
>
>
>Secure Struts
Actions
>*.sec.do
>
>
>General User
>
>
>
>
>FORM
>
>/login.do
>/logininvalid.do
>
>
>
>
>General User
>
>
>..."
>
>If I try to access a sec.do Struts action, I just get a blank space in
the
>body of the Tiles layout - I don't get the login form.  If I change the
>url-pattern in web-resource-collection to "*.do", then I get the login
>page.  It seems that Tomcat 5 doesn't like two dots in the url pattern.
Is
>this a bug?
>
>I also tried to add the following, but it didn't help:
>
>strutsnav
>*.sec.do
>
>
>
>Thanks,
>Cecile Mercado
>
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business communication, and 
may contain information that is confidential, proprietary and/or privileged.  This 
e-mail is intended only for the individual(s) to whom it is addressed, and may not be 
saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) 
intended recipient, please immediately delete this e-mail from your computer system 
and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

problem with security-constraint with Tomcat 5

2004-10-18 Thread Mercado . Maria

I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28.  We're 
also using Tiles and Struts 1.1.  The problem is that Tomcat 5 seems to be confused 
with a url pattern that works with Tomcat 4.  Here's the pertinent parts of web.xml (I 
get the same results with 2.3 or 2.4 version of web.xml):

"...



strutsnav
org.apache.struts.action.ActionServlet

config
/WEB-INF/conf/struts-config.xml


validate
true

1


...


strutsnav
*.do


...

   


Secure Struts Actions
*.sec.do


General User




FORM

/login.do
/logininvalid.do




General User


..."

If I try to access a sec.do Struts action, I just get a blank space in the body of the 
Tiles layout - I don't get the login form.  If I change the url-pattern in 
web-resource-collection to "*.do", then I get the login page.  It seems that Tomcat 5 
doesn't like two dots in the url pattern.  Is this a bug?

I also tried to add the following, but it didn't help:

strutsnav
*.sec.do



Thanks,
Cecile Mercado


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Security Constraint - Tomcat 5.0

2004-10-02 Thread Omar Adobati

Goodmorning all,

Can I set a security constraint saying that i need to protect all except a directory 
or a certain file?
My folder tree is quite like this one:
  myApp
   |
   + - - /images/
  |
  + - - /WEB-INF/
  |
  + -- *.jsp files

Well, what I need is to protect all, but to not protect the images folder. 
How can I do it?

Thisi is what i have in my web.xml file.

  
[...]

  Banner Manager
  /*

  DELETE
  GET
  POST
  PUT

  

regards,

Omar

Re: security-constraint in web.xml

2004-08-17 Thread Fabian Pena

Your suggestion work perfectly
Thank you very much.
Fabian
Bill Barker wrote:
You simply need to have two security-constraints:  One looks like below, and
the other has /*, and doesn't have an
auth-constraint.
<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
I need help to configure a secure application.
I'm trying to request a client certificate in one page only (the rest should
be accesible without presenting a certificate) and force to use SSL in the
entire application.
I put the following in the web.xml
   
   
   certificates
   /certificates/add.action
   GET
   POST
   

   *
   
   
   CONFIDENTIAL
   
   
   
   CLIENT-CERT
   
If I add a new url pattern, this page will request client certificate too.
How can I force to use SSL without requiring a client certificate but still
require it in a specific page?
Thanks in advance.
regards,
fabian

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 



smime.p7s
Description: S/MIME Cryptographic Signature

Re: security-constraint in web.xml

2004-08-16 Thread Bill Barker

You simply need to have two security-constraints:  One looks like below, and
the other has /*, and doesn't have an
auth-constraint.

<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
I need help to configure a secure application.
I'm trying to request a client certificate in one page only (the rest should
be accesible without presenting a certificate) and force to use SSL in the
entire application.

I put the following in the web.xml



certificates
/certificates/add.action
GET
POST

 
*


CONFIDENTIAL



CLIENT-CERT



If I add a new url pattern, this page will request client certificate too.
How can I force to use SSL without requiring a client certificate but still
require it in a specific page?

Thanks in advance.

regards,
fabian




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint in web.xml

2004-08-16 Thread Joel

On Mon, 16 Aug 2004 09:58:04 -0300
[EMAIL PROTECTED] wrote

> I need help to configure a secure application.
> I'm trying to request a client certificate in one page only (the rest should
> be accesible without presenting a certificate) and force to use SSL in the
> entire application.
> 
> I put the following in the web.xml
> 
> 
> 
> certificates
> /certificates/add.action
> GET
> POST
> 
>  
> *
> 
> 
> CONFIDENTIAL
> 
> 
> 
> CLIENT-CERT
> 
> 
> 
> If I add a new url pattern, this page will request client certificate too.
> How can I force to use SSL without requiring a client certificate but still
> require it in a specific page?

I haven't taken the time to analyze your , but my
impression is that ssl can't really function without certificates.

It might be possible to pre-supply a (fake) client certificate, but I'm
not sure that would buy you anything. If the client needs a certificate,
it would be best to supply the client with (a real) one (even if only
self-certified). If the client doesn't know what to do with a
certificate, how would it know what to do with the encrypted streams?

-- 
Joel <[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint in web.xml

2004-08-16 Thread Jon Wingfield

Not sure you can do this with Tomcat alone (but would be happy to be 
shown the error of my ways). This is because every ssl connection uses 
the same SSLSocketFactory configuration irrespective of requested URI.

The mod_ssl module for Apache has support for this type of config, though:
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8
HTH (or prompts another answer),
Jon
[EMAIL PROTECTED] wrote:
I need help to configure a secure application.
I'm trying to request a client certificate in one page only (the rest should
be accesible without presenting a certificate) and force to use SSL in the
entire application.
I put the following in the web.xml


certificates
/certificates/add.action
GET
POST

 
*


CONFIDENTIAL



CLIENT-CERT

If I add a new url pattern, this page will request client certificate too.
How can I force to use SSL without requiring a client certificate but still
require it in a specific page?
Thanks in advance.
regards,
fabian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

security-constraint in web.xml

2004-08-16 Thread fpena

I need help to configure a secure application.
I'm trying to request a client certificate in one page only (the rest should
be accesible without presenting a certificate) and force to use SSL in the
entire application.

I put the following in the web.xml



certificates
/certificates/add.action
GET
POST

 
*


CONFIDENTIAL



CLIENT-CERT



If I add a new url pattern, this page will request client certificate too.
How can I force to use SSL without requiring a client certificate but still
require it in a specific page?

Thanks in advance.

regards,
fabian


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

security-constraint in web.xml

2004-08-14 Thread fpena

Hello, how are you?
I need help to configure a secure application.
I am trying to request client certificate in only one page and force to
use SSL in the entire application.

I put the following in the web.xml



certificates
/certificates/add.action
GET
POST

 
*


CONFIDENTIAL



CLIENT-CERT



If I add a new url pattern, this page will request client certificate too.
How can I force to use SSL without require cliente certificate but still
require it in a specific page?

I hope that you can understand me. If you need more information or clarify
something, please let me know.

Thank you very much in advanced.
Fabian



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Overlapping security-constraint definitions?

2004-07-16 Thread Craig Berry

That makes sense.  Unfortunately. :)  We'll go with explicit listing of
the more-restricted URLs.  Thanks for the quick and thorough reply!

-Original Message-
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
Sent: Thursday, July 15, 2004 7:59 PM
To: [EMAIL PROTECTED]
Subject: Re: Overlapping security-constraint definitions?

It's true that how Overlapping security-constraints are handled has
changed between TC 4 & TC 5 (since they changed in the servlet-spec),
but that's not what is causing your problem.
[snip]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Overlapping security-constraint definitions?

2004-07-15 Thread Bill Barker

It's true that how Overlapping security-constraints are handled has changed
between TC 4 & TC 5 (since they changed in the servlet-spec), but that's not
what is causing your problem.

The /edit* isn't valid, so it looks like you were
relying on an 'undocumented feature' of TC 4 ;-).  TC 5 will treat this a
match for a URL that is literally '/myapp/edit*'.

The valid pattern is /edit/*, so if you move all
of your edit* files to a subdirectory (and fix the links), then you can have
a wild-card pattern.  Otherwise, there is nothing to do but to list all of
your edit* URLs.

"Craig Berry" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
I recently moved from Tomcat 4 to 5, and have discovered that the
handling of overlapping security-constraint definitions in web.xml seems
to have changed.  I am hoping someone can recommend the best way to
accomplish what I need to do under TC5.

I have two possible user roles.  All users have the role "User"; in
addition, some have a second role, "Admin".  I want to require at least
"User" role to access any page, but require "Admin" role to access a few
specific page patterns.  So I have two security-constraint entries, like
this (this is a simplified version):


  
  Secure content
*.do
  
  
User
  



  
Admin content
  /edit*

  
Admin
  


This worked under TC4; since all users have the "User" role, everyone
could get at all my *.do pages, but users without the "Admin" role would
get a 403 if they tried to reach a page starting with "edit".

However, under TC5, it appears that permissions are adding rather than
subtracting, if that makes sense.  In other words, the presence of the
blanket permission for *.do makes all pages accessible, and the attempt
to add an additional rule about /edit* pages is ignored.

I could obviously enumerate all the pages in both categories, but that
would be brittle in the face of new development.  Is there a way to do
this with patterns as I did under TC4?

-- 
Craig Berry
Principal Architect and Technical Manager
PortBlue
(310) 566-7546




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Overlapping security-constraint definitions?

2004-07-15 Thread Craig Berry

I recently moved from Tomcat 4 to 5, and have discovered that the
handling of overlapping security-constraint definitions in web.xml seems
to have changed.  I am hoping someone can recommend the best way to
accomplish what I need to do under TC5.

I have two possible user roles.  All users have the role "User"; in
addition, some have a second role, "Admin".  I want to require at least
"User" role to access any page, but require "Admin" role to access a few
specific page patterns.  So I have two security-constraint entries, like
this (this is a simplified version):


  
  Secure content
*.do
  
  
User
  



  
Admin content
  /edit*

  
Admin
  


This worked under TC4; since all users have the "User" role, everyone
could get at all my *.do pages, but users without the "Admin" role would
get a 403 if they tried to reach a page starting with "edit".

However, under TC5, it appears that permissions are adding rather than
subtracting, if that makes sense.  In other words, the presence of the
blanket permission for *.do makes all pages accessible, and the attempt
to add an additional rule about /edit* pages is ignored.

I could obviously enumerate all the pages in both categories, but that
would be brittle in the face of new development.  Is there a way to do
this with patterns as I did under TC4?

-- 
Craig Berry
Principal Architect and Technical Manager
PortBlue
(310) 566-7546
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat 5 with HTTPS to protect a subset of a webapp : pb url-pattern + security constraint

2004-07-08 Thread SPIELMANN Christophe


Hello there,

I use the classic Tomcat 5.0.18 without any modif.

I would like to protect a subset of my webapp. to do so, I did the following stuffs:
- I configured my Tomcat to accept SSL
- I added a security-constraint in web.xml

I am facing the following problems:

1. the url-pattern /frwk/module/admin* does not work. I don't switch to Https. With a 
more simple pattern it works fine.

2. In my browser IE5.50 :-( , I got some links https://localhost:8080/framework... I 
then get error with those links. I truly don't understand the logic as when I see the 
properties of the page I see https://localhost:8433/framework. And My address bar is 
also https://localhost:8433/... ( due to a redirect ? )

3. I was expecting Tomcat to switch from http to https and then from http to https 
when a page is outside the security pattern. It does not seem to be the case. It would 
have been to simple I imagine.

If Any one has ever done such a thing, I would appreciate your hints.


Here are my configs:

in web.xml :



  Embedded Admin Module Security
  
  
Admin module through actions
/frwk/module/admin*
  
  
Admin module through Language Bar with tile as 
the forward

/i18n/processLocalization.do\?forward=frwk\.admin*
  
  
Admin module through Language Bar with an 
action as the forward

/i18n/processLocalization.do\?forward=/frwk/module/admin*
  
  

framework
  
   
   lets use https
   CONFIDENTIAL
   
  
  


  BASIC
  Framework Application
 



  
The role that is required to log in to the Administration Application
  
  framework


In server.xml:




   


Txs,
Christophe Spielmann
[EMAIL PROTECTED]
 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Can webapps 'share' a security-constraint?

2004-05-26 Thread Knight, Digby

Look at the SingleSignOn valve.

-Original Message-
From: Barnet Wagman [mailto:[EMAIL PROTECTED]
Sent: 26 May 2004 16:53
To: Tomcat Users List
Subject: Can webapps 'share' a security-constraint?

I'd like users to be able to login once and get access to several web 
apps.  Is it possible for web apps to 'share' a security-contraint?

I've tried putting the constraint into conf/web.xml That applies the 
constraints to all the specified web apps managed by the server, but 
users still need to log into each web app separately.

I.e. if  conf/web.xml contains a security constraint that such as

Site access constraint

Protected
Area  
/WebApp_A/*
/WebApp_B/*

  a_defined_role

(webapps/Web_App_A/WEB-INF/web.xml and webapps/Web_App_B/WEB-INF/web.xml 
do not contain a security-constraint.)
(By the way, I don't know if putting a security constraint in 
conf/web.xml is legitimate.)

The constraint will apply to WebApp_A and WebApp_B
When a user access a page in WebApp_A, she is required to login. If, 
after a successful login, she accesses a page in WebApp_B,  she will 
have to log in again.  Is there a way to force the first login to apply 
to all the listed web-apps?

Thanks,

bw

-
*
Confidentiality Note: The information contained in this 
message, and any attachments, may contain confidential 
and/or privileged material. It is intended solely for the 
person(s) or entity to which it is addressed. Any review, 
retransmission, dissemination, or taking of any action in 
reliance upon this information by persons or entities other 
than the intended recipient(s) is prohibited. If you received
this in error, please contact the sender and delete the 
material from any computer.
*

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Can webapps 'share' a security-constraint?

2004-05-26 Thread Shapira, Yoav


Hi,
You might be able to use the SingleSignOn Valve (see tomcat
configuration reference documentation) for this.

It's OK but not recommended to put the security constraints in
conf/web.xml, although that's another way to share a constraint among
webapps.

As for a pure, portable way to share constraints: I don't think.
Web.xml by definition is for one webapp.  You'd have to copy/paste the
constraints or put them in a separate XML file and include that via XML
entities.

Yoav Shapira
Millennium Research Informatics


>-Original Message-
>From: Barnet Wagman [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, May 26, 2004 11:53 AM
>To: Tomcat Users List
>Subject: Can webapps 'share' a security-constraint?
>
>I'd like users to be able to login once and get access to several web
>apps.  Is it possible for web apps to 'share' a security-contraint?
>
>I've tried putting the constraint into conf/web.xml That applies the
>constraints to all the specified web apps managed by the server, but
>users still need to log into each web app separately.
>
>I.e. if  conf/web.xml contains a security constraint that such as
>
>
>Site access constraint
>
>Protected
>Area
>/WebApp_A/*
>/WebApp_B/*
>
>
>  a_defined_role
>    
>
>
>
>(webapps/Web_App_A/WEB-INF/web.xml and
webapps/Web_App_B/WEB-INF/web.xml
>do not contain a security-constraint.)
>(By the way, I don't know if putting a security constraint in
>conf/web.xml is legitimate.)
>
>The constraint will apply to WebApp_A and WebApp_B
>When a user access a page in WebApp_A, she is required to login. If,
>after a successful login, she accesses a page in WebApp_B,  she will
>have to log in again.  Is there a way to force the first login to apply
>to all the listed web-apps?
>
>Thanks,
>
>bw



This e-mail, including any attachments, is a confidential business communication, and 
may contain information that is confidential, proprietary and/or privileged.  This 
e-mail is intended only for the individual(s) to whom it is addressed, and may not be 
saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) 
intended recipient, please immediately delete this e-mail from your computer system 
and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Can webapps 'share' a security-constraint?

2004-05-26 Thread Barnet Wagman

I'd like users to be able to login once and get access to several web 
apps.  Is it possible for web apps to 'share' a security-contraint?

I've tried putting the constraint into conf/web.xml That applies the 
constraints to all the specified web apps managed by the server, but 
users still need to log into each web app separately.

I.e. if  conf/web.xml contains a security constraint that such as
   
   Site access constraint
   
   Protected
   Area  
   /WebApp_A/*
   /WebApp_B/*
   
 
 a_defined_role
   
   

(webapps/Web_App_A/WEB-INF/web.xml and webapps/Web_App_B/WEB-INF/web.xml 
do not contain a security-constraint.)
(By the way, I don't know if putting a security constraint in 
conf/web.xml is legitimate.)

The constraint will apply to WebApp_A and WebApp_B
When a user access a page in WebApp_A, she is required to login. If, 
after a successful login, she accesses a page in WebApp_B,  she will 
have to log in again.  Is there a way to force the first login to apply 
to all the listed web-apps?

Thanks,
bw

tomcat security constraint with jk and apache

2004-04-01 Thread Summers, Bert W.

I have Apache2 running as the front end handling all the client PKI
authentication.
Then Tomcat 4.1 using security constraints in the web.xml.
 
Now I use jk to connect them together and it works fine, sort of.
 
I can access protected files inside of Tomcat from Apache.  Specifically any
file that is not mapped with a JkMount entry is served up by Apache which
ignores my web.xml.
 
Do I have to use Apache to protect them as well as Tomcat? Or should I just
make tomcat serve all the files?
 
Does anybody have this issue? How do you deal with it?
 
Thanks

security-constraint question

2004-03-18 Thread Koes, Derrick

I have a web application which uses a security-constraint in the deployment
descriptor.

My lone url-pattern in my web-resource-collection is for my welcome page.
This has worked well enough.

However, now I wish to access a specific URL, a servlet that produces pdf
documents, bypassing the welcome page.

My feeling is that this should be added as another url-pattern.  However,
doing so causes the File Download dialog.

...

File name:  pdf

File type:  Adobe Acrobat Control for ActiveX

From:  server

...

 

Trying to open or save produces an error dialog that states that the
requested site is either unavailable or cannot be found.

 

Prior to me adding the url to the servlet, this was not a problem.  The pdf
simply opened in the adobe plug-in.

I'm merely setting the content type to the mime type (application-pdf) and
the output stream to the document.  Perhaps I need to set more header info,
or perhaps my web.xml is wrong.

 

Thanks for the help.

 

My web.xml:

 



http://java.sun.com/j2ee/dtds/web-app_2_3.dtd";>



  Digital OR Assistant

  DORA is a multimedia database supporting the OR of the
future.

  

Set Character Encoding

 
com.snn.util.filters.SetCharacterEncodingFilter



  encoding

  UTF-8



  

  

Timeout Check Filter

com.snn.util.filters.TimeoutCheckFilter

  

  

Set Character Encoding

/*

  

  

Timeout Check Filter

/*

  

  

com.snn.util.listeners.SessionManager

  

  

Dora

Dora

/index.jsp



  dora.propertyFile

  C:/Program
Files/DORAweb/conf/dora.properties





  dora.version

  1.2.0





  surgeon

  1





  non-surgeon

  2





  admin

  3



  

  

MediaContentHandler

Media Content Handler

Handler for retrieving and storing media files into
DORA

com.snn.multimedia.ui.MediaContentHandler



  dora.propertyFile

  C:/Program
Files/DORAweb/conf/dora.properties





  dora.version

  1.2.0





  surgeon

  1





  non-surgeon

  2





  admin

  3



  

  

DownloadCase

Download Case

Handler for downloading case files from DORAweb to
client

com.snn.multimedia.ui.DownloadCase



  dora.propertyFile

  C:/Program
Files/DORAweb/conf/dora.properties





  dora.version

  1.2.0





  surgeon

  1





  non-surgeon

  2





  admin

  3



  

  

Dora

/index.jsp

  

  

MediaContentHandler

/MediaContentHandler

  

  

DownloadCase

/DownloadCase

  

  

-1

  

  

index.jsp

  

  

401

/error404.jsp

  

  

404

/error404.jsp

  

  

  



  dora

  /index.jsp

  GET

  POST





  1

  2

  3



  

  

BASIC

DORA

  

  

Surgical user of the system (e.g. Attending,
M.D.)

1

  

  

Non-surgical user of the system (e.g. R.N., SurgTech,
admin)

2

  

  

Administrator of the system.

3

  



 

This electronic transmission is strictly confidential to Smith & Nephew and
intended solely for the addressee.  It may contain information which is
covered by legal, professional or other privilege.  If you are not the
intended addressee, or someone authorized by the intended addressee to
receive transmissions on behalf of the addressee, you must not retain,
disclose in any form, copy or take any action in reliance on this
transmission.  If you have received this transmission in error, please
notify the sender as soon as possible and destroy this message.

Re: transitioning from non-logged in to logged in using security constraint....

2004-03-12 Thread Paul Tomsic

no, my question wasn't whether request.getRemoteUser()
returns null or not.  HOW, specifically, 
does tomcat populate that information using the
j_security_check and the security-constraint nodes in
the web.xml???



__
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: transitioning from non-logged in to logged in using security constraint....

2004-03-12 Thread Adam Hardy

On 03/12/2004 03:34 PM Paul Tomsic wrote:
What does tomcat do to ensure that you're logged in
while using the j_security_check ?
We're trying to transition users from non-logged in to
logged in, but we've got a fair amt. of portions of
the site that should be accessible from both states
(non-logged in and logged in)
Is there something, programmatically, that's done, or
is it something that tomcat simply places in the
user's session?
any advice or direction to the location in the API
would be great.
Paul,
if you're logged in, request.getRemoteUser() returns the login name you 
gave. If you're not, it returns null.

There's nothing in the session that is available to you with 
session.getAttribute(), if that's what your question was.

Check out the java API for HttpServletRequest and ServletRequest.

Adam

--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

transitioning from non-logged in to logged in using security constraint....

2004-03-12 Thread Paul Tomsic

What does tomcat do to ensure that you're logged in
while using the j_security_check ?
We're trying to transition users from non-logged in to
logged in, but we've got a fair amt. of portions of
the site that should be accessible from both states
(non-logged in and logged in)

Is there something, programmatically, that's done, or
is it something that tomcat simply places in the
user's session?
any advice or direction to the location in the API
would be great.

thanks


__
Do you Yahoo!?
Yahoo! Search - Find what youre looking for faster
http://search.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint node question

2004-02-24 Thread Tim Funk

You would need to combine to security philosphies
- container based security
- programmer based security
The first is done via web.xml and mathcing URL's against given roles. When 
that is not enough, then you need to use programmtic security. You use the 
HttpServletRequest objects instance method's getPrincipal, getRemoteUser, or 
isUserInRole to decide ig the user can do what you want.

The jey point is the servlet spec only places security constraint on the 
*incoming* URL. (for 2.3 --> tomcat 4.x)

-Tim

John MccLain wrote:
How would I get Tomcat to use a database table instead of the web or server
.xml files' .. to enforce
authorization? I would prefer to have objects in my webapp to have
configurable authorization applied to them outside of tomcat configuration
files; Done more like JDBCRealm authentication.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

security-constraint node question

2004-02-24 Thread John MccLain

How would I get Tomcat to use a database table instead of the web or server
.xml files' .. to enforce
authorization? I would prefer to have objects in my webapp to have
configurable authorization applied to them outside of tomcat configuration
files; Done more like JDBCRealm authentication.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security constraint bug?

2004-02-23 Thread Bill Barker


"Brandon Goodin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> I have the following security constraint specified in my web.xml:
>
>
>
> 
>
> 
>
> Customer Area
>
> /customer/*
>
> 
>
> 
>
> customer
>
> 
>
> 
>
>
>
> When I go to the following url it gets blocked.
>
>
>
> http://phase.zapto.org:8282/customer.do
>
>
>
> I'm assuming this is a bug. Is it not?
>

It's a bug, which is fixed in 5.0.19.

>
>
> I'm using Tomcat 5.0.18
>
>
>
> Brandon Goodin
>
>
>
>
>
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

security constraint bug?

2004-02-22 Thread Brandon Goodin

I have the following security constraint specified in my web.xml:

 





Customer Area

/customer/*





customer





 

When I go to the following url it gets blocked.

 

http://phase.zapto.org:8282/customer.do

 

I'm assuming this is a bug. Is it not?

 

I'm using Tomcat 5.0.18

 

Brandon Goodin

Security Constraint works on port 8080 but not on 80 (Through mod_jk)

2004-01-14 Thread Nick

I thought it would be a good idea to have a place to learn while I have
my server on-line business uses. In my server.xml I have two sessions
running. One should answer on 8080 and the other off port 80 through
mod_jk/apache. I am testing a simple BASIC auth setup and for some
reason the app answers on port 8080 with  a username/password request.
and the one on apache just lets me straight in. The way I have the
configs I thought it wouldn't answer at all on 8080.

Can someone who has more than 1 frustrating week of experience take a
look at the configs for some obvious blunder.

Thanks Nix










factory
org.apache.catalina.users.MemoryUserDatabaseFactory


pathname
conf/tomcat-users.xml



 










localhost
www.efficax.net
192.167.223.86










 




















   
usernamesa  
  password
   
driverClassName
   
org.hsql.jdbcDriver
url
   
jdbc:HypersonicSQL:database




mail.smtp.host
localhost










-- 
Nick (Nix) Gray
Senior Systems Engineer
Bruzenak Inc.
(512) 331-7998

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: help using JDBCRealm - how to relate a realm with a security constraint

2003-12-15 Thread Christopher Schultz

Pedro,

What i have done:
1. modify the server.xml file to add a Realm tag ()
Where did you put this declaration? In the  of your web 
application? I recall that Realm declarations can appear in multiple 
places. Make sure that it appears in the  where you have:

2. modify the web.xml to add a security-constraint tag ( 


Area de pruebas de 
seguridad
/cosa.jsp
/test.jsp
DELETE
GET
POST
PUT


  rol de administrador
YYY


)
This looks good. What is the URL that you expect to be protetced, and is 
not protected? Also, try removing the  settings, just in 
case that is complicating things.

-chris

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

help using JDBCRealm - how to relate a realm with a security constraint

2003-12-15 Thread Pedro Garcia

Hi!
I am trying to set up security management for my web applications 
through JDBCRealm.

What i have done:
1. modify the server.xml file to add a Realm tag ()

Database and corresponding tables exists

2. modify the web.xml to add a security-constraint tag ( 

		
			Area de pruebas de seguridad
			/cosa.jsp
			/test.jsp
			DELETE
			GET
			POST
			PUT
		
		
		  rol de administrador
			YYY
		
	
)

YYY is a role defined in the database

It doesn't work. So i want to know how to relate a realm declared within 
a context with the entries in the web.xml file in order to do the users 
of my web application to be authenticated against my -user, roles- database.

Thanks!

--
---
| Pedro A García Medina   |
| Groove Media|
| emailto: [EMAIL PROTECTED] |
| Tel: 6211072|
|--
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint question

2003-11-04 Thread Giselle Dazzi

Thanks guys, I got it...


- Original Message -
From: "Giselle Dazzi" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Tuesday, November 04, 2003 10:29 PM
Subject: Re: security-constraint question


> Im having a hard time calling those methods, I guess I need to create an
> object, does anyone have a sample code ? Here's what Im getting now:
>
>
F:\jakarta-tomcat-4.1.27\work\Standalone\localhost\locadora\menu_jsp.java:58
> : non-static method getUserPrincipal() cannot be referenced from a static
> context
>  java.security.Principal usuarioPrincipal =
> HttpServletRequestWrapper.getUserPrincipal();
>
> I guess I need to create a HttpServletRequestWrapper object, but the
> constructor expects a ServletRequest request, and Im kind of lost what
that
> would be
>
>
>
> - Original Message -
> From: "Christopher Schultz" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Tuesday, November 04, 2003 8:58 PM
> Subject: Re: security-constraint question
>
>
> > Giselle,
> > > Im using the  feature of Tomcat. Everything
> > > works well, but I dont know how to retrieve the login entered during
> > > authentication to use it throughout my application... Have you guys
> > > done this before ?
> >
> > What you want is request.getUserPrincipal(). This will return a
> > java.security.Principal object. You can get the name by calling
> > getName() on that object.
> >
> > Unfortunately, you can't get the role or roles for the user. You have to
> > know the roles beforehand and then use request.isUserInRole to determine
> > wether they are or are not in a given role. :(
> >
> > -chris
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint question

2003-11-04 Thread Giselle Dazzi

Im having a hard time calling those methods, I guess I need to create an
object, does anyone have a sample code ? Here's what Im getting now:

F:\jakarta-tomcat-4.1.27\work\Standalone\localhost\locadora\menu_jsp.java:58
: non-static method getUserPrincipal() cannot be referenced from a static
context
 java.security.Principal usuarioPrincipal =
HttpServletRequestWrapper.getUserPrincipal();

I guess I need to create a HttpServletRequestWrapper object, but the
constructor expects a ServletRequest request, and Im kind of lost what that
would be



- Original Message -
From: "Christopher Schultz" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Tuesday, November 04, 2003 8:58 PM
Subject: Re: security-constraint question


> Giselle,
> > Im using the  feature of Tomcat. Everything
> > works well, but I dont know how to retrieve the login entered during
> > authentication to use it throughout my application... Have you guys
> > done this before ?
>
> What you want is request.getUserPrincipal(). This will return a
> java.security.Principal object. You can get the name by calling
> getName() on that object.
>
> Unfortunately, you can't get the role or roles for the user. You have to
> know the roles beforehand and then use request.isUserInRole to determine
> wether they are or are not in a given role. :(
>
> -chris
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint question

2003-11-04 Thread Tim Funk

See the HttpServletRequest class. (getRemoteUser() or getUserPrincipal())

-Tim

Giselle Dazzi wrote:
Hi everybody,

Im using the  feature of Tomcat. Everything works well, but I dont know how to retrieve the login entered during authentication to use it throughout my application... Have you guys done this before ?

thx

My login page is specified in my web.xml:


  FORM
  Autenticacao
  
/login.jsp
/errorpage.html
  
  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint question

2003-11-04 Thread Christopher Schultz

Giselle,
Im using the  feature of Tomcat. Everything
works well, but I dont know how to retrieve the login entered during
authentication to use it throughout my application... Have you guys
done this before ?
What you want is request.getUserPrincipal(). This will return a 
java.security.Principal object. You can get the name by calling 
getName() on that object.

Unfortunately, you can't get the role or roles for the user. You have to 
know the roles beforehand and then use request.isUserInRole to determine 
wether they are or are not in a given role. :(

-chris

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security-constraint question

2003-11-04 Thread Caroline Jen

First of all, I am not sure that you need 
in teh web.xml if you user form-based authentication.

You may use getRemoteUser() to get the name of the
user.
--- Giselle Dazzi <[EMAIL PROTECTED]> wrote:
> Hi everybody,
> 
> Im using the  feature of
> Tomcat. Everything works well, but I dont know how
> to retrieve the login entered during authentication
> to use it throughout my application... Have you guys
> done this before ?
> 
> thx
> 
> My login page is specified in my web.xml:
> 
> 
>   FORM
>   Autenticacao
>   
>
> /login.jsp
>
> /errorpage.html
>   
>   
> 


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

security-constraint question

2003-11-04 Thread Giselle Dazzi

Hi everybody,

Im using the  feature of Tomcat. Everything works well, but I 
dont know how to retrieve the login entered during authentication to use it throughout 
my application... Have you guys done this before ?

thx

My login page is specified in my web.xml:


  FORM
  Autenticacao
  
/login.jsp
/errorpage.html

Re: Broken?: security constraint for actions

2003-08-29 Thread Tim Funk

You can't use query strings in security constraints.

You can always to programmtic authorization via request.isUserInRole(userName)

-Tim

[EMAIL PROTECTED] wrote:

Hello, 

I have set up a struts-like web app running under Tomcat 4.1.27 on
win2000 and JDK1.4.2.  I want to restrict access parts of my app based
on the "action" parameter in the URL.  That is, calls to 

/controller?action=deposit

can be made by members of the group "user".  But, say, calls to

/controller?action=withdraw

can only be made by member of the group "admin".

How can I protect these resources?  If I try to use



ListAccounts
The pages
/controller?action=withdraw


admin

 

The container ignores the constraint.  What is wrong here?

Also, I have seen web.xml files in which classes themselves are
constrained via a url-pattern such as
/WEB-INF/classes/a/b/Foo.class

If I try to use such restraints in Tomcat, they are not honored.

Any ideas or references?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Broken?: security constraint for actions

2003-08-29 Thread ToFu

Perhaps you should try using distinct directories instead?  That should work
a little more cleanly.


Todd


- Original Message -
From: <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, August 29, 2003 3:01 AM
Subject: Broken?: security constraint for actions


> Hello,
>
> I have set up a struts-like web app running under Tomcat 4.1.27 on
> win2000 and JDK1.4.2.  I want to restrict access parts of my app based
> on the "action" parameter in the URL.  That is, calls to
>
> /controller?action=deposit
>
> can be made by members of the group "user".  But, say, calls to
>
> /controller?action=withdraw
>
> can only be made by member of the group "admin".
>
> How can I protect these resources?  If I try to use
>
>
> 
> 
> ListAccounts
> The pages
> /controller?action=withdraw
> 
> 
> admin
> 
> 
>
> The container ignores the constraint.  What is wrong here?
>
> Also, I have seen web.xml files in which classes themselves are
> constrained via a url-pattern such as
>
> /WEB-INF/classes/a/b/Foo.class
>
> If I try to use such restraints in Tomcat, they are not honored.
>
> Any ideas or references?
>
> Thanks
>
> Bruce Sams
>
> =
> Dr. Bruce J. Sams, III
> mediateam
> Weidenweg 2, 85375 Neufahrn
> Germany
> tel: +49 (0) 8165/65095
> fax: +49 (0) 8165/65096
> web: http://www.mediateam.de
>
>
> This communication may contain privileged
> information. If you are not the intended recipient
> please notify the sender immediately and destroy this e-mail.
>
> All unauthorised copying, disclosure or distribution of  the
> material in  this e-mail or of parts hereof is strictly forbidden.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Broken?: security constraint for actions

2003-08-29 Thread [EMAIL PROTECTED]

Hello, 

I have set up a struts-like web app running under Tomcat 4.1.27 on
win2000 and JDK1.4.2.  I want to restrict access parts of my app based
on the "action" parameter in the URL.  That is, calls to 

/controller?action=deposit

can be made by members of the group "user".  But, say, calls to

/controller?action=withdraw

can only be made by member of the group "admin".

How can I protect these resources?  If I try to use




ListAccounts
The pages
/controller?action=withdraw


admin

 

The container ignores the constraint.  What is wrong here?

Also, I have seen web.xml files in which classes themselves are
constrained via a url-pattern such as

/WEB-INF/classes/a/b/Foo.class

If I try to use such restraints in Tomcat, they are not honored.

Any ideas or references?

Thanks

Bruce Sams

=
Dr. Bruce J. Sams, III
mediateam
Weidenweg 2, 85375 Neufahrn
Germany
tel: +49 (0) 8165/65095  
fax: +49 (0) 8165/65096 
web: http://www.mediateam.de


This communication may contain privileged 
information. If you are not the intended recipient 
please notify the sender immediately and destroy this e-mail.

All unauthorised copying, disclosure or distribution of  the 
material in  this e-mail or of parts hereof is strictly forbidden.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Tomcat 4.0.3: security-constraint error in web.xml

2003-08-28 Thread Duncan Strang

Here's another good resource

http://edocs.bea.com/wls/docs61/webapp/webappdeployment.html#1012209

Cheers

-Original Message-
From: tito santini [mailto:[EMAIL PROTECTED] 
Sent: 28 August 2003 15:24
To: Tomcat Users List
Subject: Tomcat 4.0.3: security-constraint error in web.xml

Dear all,
we actually have this very "boring" problem on Tomcat 4.0.3 (why not yet
upgraded? customer requirements):

We want to restrict the access at our application on HTTPS port only.
after many unsuccesful tests, we added,   for testing purpose,  these
following lines (which we believe to be the minimal configuration for
achieving security) to our web.xml file:

   Tutta IPMS

Unfortunately, at startup Tomcat refuses the above lines saying, in its
log file catalina.out :

org.xml.sax.SAXParseException: The content of element type "web-app"
must match
"(icon?,display-name?,description?,distributable?,context-param*,servlet
*,se
rvlet-mapping*,session-config?,mime-mapping*,welcome-file-list?,error-pa
ge*,
taglib*,resource-ref*,security-constraint*,login-config?,security-role*,
env-
entry*,ejb-ref*)"

What's wrong? Any hint?

Very Thanks in advance for your help.

Tito Santini

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Tomcat 4.0.3: security-constraint error in web.xml

2003-08-28 Thread Duncan Strang

It could be that the  element is in the wrong
place in the web.xml file.

Elements need to be listed in a particular order. They can't just be
placed anywhere. The parser error tells you the order in which elements
are allowed. Does your web.xml comply with this ?

Check out the servlet specification from Sun for the full DTD

-Original Message-
From: tito santini [mailto:[EMAIL PROTECTED] 
Sent: 28 August 2003 15:24
To: Tomcat Users List
Subject: Tomcat 4.0.3: security-constraint error in web.xml


Dear all,
we actually have this very "boring" problem on Tomcat 4.0.3 (why not yet
upgraded? customer requirements):

We want to restrict the access at our application on HTTPS port only.
after many unsuccesful tests, we added,   for testing purpose,  these
following lines (which we believe to be the minimal configuration for
achieving security) to our web.xml file:



  
   Tutta IPMS
  



Unfortunately, at startup Tomcat refuses the above lines saying, in its
log file catalina.out :

org.xml.sax.SAXParseException: The content of element type "web-app"
must match
"(icon?,display-name?,description?,distributable?,context-param*,servlet
*,se
rvlet-mapping*,session-config?,mime-mapping*,welcome-file-list?,error-pa
ge*,
taglib*,resource-ref*,security-constraint*,login-config?,security-role*,
env-
entry*,ejb-ref*)"


What's wrong? Any hint?

Very Thanks in advance for your help.


Tito Santini


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat 4.0.3: security-constraint error in web.xml

2003-08-28 Thread tito santini

Dear all,
we actually have this very "boring" problem on Tomcat 4.0.3 (why not yet
upgraded? customer requirements):

We want to restrict the access at our application on HTTPS port only.
after many unsuccesful tests, we added,   for testing purpose,  these
following lines (which we believe to be the minimal configuration
for achieving security) to our web.xml file:



  
   Tutta IPMS
  



Unfortunately, at startup Tomcat refuses the above lines saying, in its log
file catalina.out :

org.xml.sax.SAXParseException: The content of element type "web-app" must
match
"(icon?,display-name?,description?,distributable?,context-param*,servlet*,se
rvlet-mapping*,session-config?,mime-mapping*,welcome-file-list?,error-page*,
taglib*,resource-ref*,security-constraint*,login-config?,security-role*,env-
entry*,ejb-ref*)"


What's wrong? Any hint?

Very Thanks in advance for your help.


Tito Santini


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Problem with applet in jar file accessed from JSP page in area protected with a security constraint.

2003-08-01 Thread Jim Solderitsch

The problem occurs under my test environment which is a Mac Powerbook  
G4 running OS X 10.2.6 with Java Plug-in 1.4.1_01. I am running tomcat  
on this machine.

I am trying to first install and then extend a web application that is  
deployed under tomcat 4.1.24.

There is a login based configuration for most of the pages of the site  
-- I have  tags and a  section in  
my applications web.xml file.

My problem is this:

One of the protected pages is a jsp (map.jsp) page that has an applet  
tag. This tag references a jar file that is also contained in the same  
protected folder (called /protected) as the jsp page.

When I login and access the page with the applet, in my java console I  
see the exception:

java.lang.ClassFormatError: com/gestalt/sgs/client/MapAsset (Bad magic  
number)
	at java.lang.ClassLoader.defineClass0(Native Method)
	at java.lang.ClassLoader.defineClass(ClassLoader.java:502)
	at  
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)
	at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:148)
	at  
sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:1 
68)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
	at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:114)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:255)
	at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:501)
	at sun.applet.AppletPanel.createApplet(AppletPanel.java:574)
	at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1828)
	at sun.applet.AppletPanel.runLoader(AppletPanel.java:503)
	at sun.applet.AppletPanel.run(AppletPanel.java:292)
	at java.lang.Thread.run(Thread.java:554)

The applet apparently is never retrieved from the server. I am using  
Apple's Safari browser for this test, but the applet also fails to load  
using Mozilla 1.4 which uses the 1.4.1 plug-in.

Interesting point 1:

If I access my application from a Windows machine (running XP  
Professional with IE and Sun's Java plug-in 1.4.1), the applet DOES  
load and the application works.

Interesting point 2:

If I move the applet's jar file and the JSP page containing the applet  
tag to another part of application's folder hierarchy, NOT inside the  
protected area, and then change the pages that refer to this page to  
use the new location, the applet can be invoked from the enclosing page  
on my test Powerbook with Safari.

I asked on the Mac Java dev mailing list about this and got some ideas  
but no definitive answers.

Anyone with more tomcat experience than I (I have dabbled over the  
years but have not done anything recently) care to interpret this  
phenomenon.

My applet tag inside of map.jsp looks like:

   
  
  
  
   
As I said above, the jar file is located in the same folder as the jsp.  
All of the pages are part of the folder pattern defined in the tag:

   
  
 SGS Authorized Pages
 
 
 /protected/*
  
  
 user
  
   
inside the application's web.xml file.

I would rather not move the problem page and applet to a non-protected  
area of my folder hierarchy. But the only way I can get the applet to  
load in my development and test environment is to make this re-location.

Any thoughts/advice appreciated.

Jim Solderitsch
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: File cannot be download with security-constraint...

2003-07-31 Thread Jon Wingfield

Cool. Was just writing a response about the headers tomcat adds when 
using a security restraint. But you've already worked it out...

I've only seen the problem when using IE with SSL + security constraint 
but i guess it's more of a general problem. :(

Jon

Rob Tomlin wrote:
ah the old IE + SSL + cacheing problem ;)


This seems to solve the problem:

response.setHeader("Cache-Control", "public");

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: File cannot be download with security-constraint...

2003-07-31 Thread Rob Tomlin

> ah the old IE + SSL + cacheing problem ;)

This seems to solve the problem:

response.setHeader("Cache-Control", "public");

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: File cannot be download with security-constraint...

2003-07-31 Thread Rob Tomlin


> ah the old IE + SSL + cacheing problem ;)

I am not using SSL,


I haveadding the suggested code it does not 
solve the problem...

Cheers

Rob

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: File cannot be download with security-constraint...

2003-07-31 Thread Jon Wingfield

ah the old IE + SSL + cacheing problem ;)

Try adding:

final String userAgent = request.getHeader("user-agent");
if (response.containsHeader("Pragma")
&& userAgent!=null
&& userAgent.toUpperCase().indexOf("MSIE")>-1) {
response.setHeader("Pragma", "public");
}
Solved it for us.

Jon

Rob Tomlin wrote:

Hi,

I have a serlvet that is used to download a file to the client.

I am using Tomcat 4.1.24, with IE6.

All is fine when no  is applied in the deployment
descriptor, but when I introduce such a constraint the file cannot be
downloaded. I recieve the error:
Internet Explorer cannot download servlet?d=file.pdf from localhost.

My code to download is:

try {

String filename = "spec1.pdf";
String downloadType = "application/pdf";
	response.setContentType(downloadType+"; name=\""+filename+"\"") ;

File file = new File("/" + filename);
  FileInputStream in = new FileInputStream(file);
  response.setContentLength((int)file.length());
  byte[] buf = new byte[4 * 1024];  // 4K buffer
  int bytesRead;
  while ((bytesRead = in.read(buf)) != -1) {
out.write(buf, 0, bytesRead);
  }
}
finally {
if (in != null) in.close();
}
I found some references to setting the content-dispostion header however
setting this did not seem to solve the problem:
response.setHeader("Content-Disposition","inline; filename=\"" + filename + "\";");

Any ideas/solutions would be greatly apprieciated.

Cheers

Rob Tomlin

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

File cannot be download with security-constraint...

2003-07-31 Thread Rob Tomlin

Hi,

I have a serlvet that is used to download a file to the client.

I am using Tomcat 4.1.24, with IE6.

All is fine when no  is applied in the deployment
descriptor, but when I introduce such a constraint the file cannot be
downloaded. I recieve the error:

Internet Explorer cannot download servlet?d=file.pdf from localhost.

My code to download is:

try {

String filename = "spec1.pdf";
String downloadType = "application/pdf";

response.setContentType(downloadType+"; name=\""+filename+"\"") ;

File file = new File("/" + filename);
  FileInputStream in = new FileInputStream(file);
  response.setContentLength((int)file.length());

  byte[] buf = new byte[4 * 1024];  // 4K buffer
  int bytesRead;
  while ((bytesRead = in.read(buf)) != -1) {
out.write(buf, 0, bytesRead);
  }
}
finally {
if (in != null) in.close();
}

I found some references to setting the content-dispostion header however
setting this did not seem to solve the problem:

response.setHeader("Content-Disposition","inline; filename=\"" + filename + "\";");

Any ideas/solutions would be greatly apprieciated.

Cheers

Rob Tomlin

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: security constraint & web.xml

2003-06-14 Thread Euan Guttridge

Thanks John - solved.

-Original Message-
From: John Rishea [mailto:[EMAIL PROTECTED] 
Sent: 14 June 2003 16:46
To: Tomcat Users List
Subject: RE: security constraint & web.xml

Euan,

If you look at the DTD 2.3 specs, the  and
 entries have to be placed after the  entries.  It's
very picky about tags being in the correct order.

Hope that helps.

__
John Rishea
Avaya, Inc.
(303) 538-4503

-Original Message-
From: Euan Guttridge [mailto:[EMAIL PROTECTED]
Sent: Saturday, June 14, 2003 9:41 AM
To: '[EMAIL PROTECTED]'
Subject: security constraint & web.xml

The security constraint I am adding is screwing up my web.xml. After adding
the contraint tomcat cannot find my taglibs. Any ideas? (web.xml below)

Thanks,
Euan

http://java.sun.com/dtd/web-app_2_3.dtd";>

  TestOnline

 Build of Test

webmaster
[EMAIL PROTECTED]

The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.

test1
/jsp/admin/test1/*

test1-user

test2
/jsp/admin/test2/*

test2-user

BASIC
test1
test2

User
com.test.user.UserServlet

  User
  /ProjectsOnline

30

/archtaglib
/WEB-INF/lib/archtaglib.jar

/distributiontaglib
/WEB-INF/lib/distributiontaglib.jar

/formstaglib
/WEB-INF/lib/formstaglib.jar

/localtaglib
/WEB-INF/lib/localtaglib.jar

/navigationtaglib
/WEB-INF/lib/navigationtaglib.jar

/summarytaglib
/WEB-INF/lib/summarytaglib.jar

Euan Guttridge
Technical Operations
BuildOnline
40 Holborn Viaduct
London
EC1N 2PB
UK Customer Services:  0870 241 2283
Telephone:   +44 (0)20 7836 2883
Fax: +44 (0)20 7836 2886

www.BuildOnline.com
'Save Time, BuildOnline'

This email and any files transmitted are confidential and intended solely
for the use of the individual or entity to which they are addressed. If you
have received this email in error, please notify
BuildOnline: Tel: +44 (0)20 7836 2883

**

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: security constraint & web.xml

2003-06-14 Thread John Rishea

Euan,

If you look at the DTD 2.3 specs, the  and
 entries have to be placed after the  entries.  It's
very picky about tags being in the correct order.

Hope that helps.

__
John Rishea
Avaya, Inc.
(303) 538-4503

-Original Message-
From: Euan Guttridge [mailto:[EMAIL PROTECTED]
Sent: Saturday, June 14, 2003 9:41 AM
To: '[EMAIL PROTECTED]'
Subject: security constraint & web.xml


The security constraint I am adding is screwing up my web.xml. After adding
the contraint tomcat cannot find my taglibs. Any ideas? (web.xml below)

Thanks,
Euan






http://java.sun.com/dtd/web-app_2_3.dtd";>


  
  TestOnline
  
 Build of Test
  

   
webmaster
[EMAIL PROTECTED]

The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.
  
  

   

test1
/jsp/admin/test1/*


test1-user

   

  

test2
/jsp/admin/test2/*


test2-user

  

  
BASIC
test1
test2
  


  
User
com.test.user.UserServlet
  


  
  User
  /ProjectsOnline
  

  
30

  


  
/archtaglib
/WEB-INF/lib/archtaglib.jar
  
  
/distributiontaglib
/WEB-INF/lib/distributiontaglib.jar
  
  
/formstaglib
/WEB-INF/lib/formstaglib.jar
  
  
/localtaglib
/WEB-INF/lib/localtaglib.jar
  
  
/navigationtaglib
/WEB-INF/lib/navigationtaglib.jar
  
  
/summarytaglib
/WEB-INF/lib/summarytaglib.jar
  





Euan Guttridge
Technical Operations
BuildOnline
40 Holborn Viaduct
London
EC1N 2PB
UK Customer Services:  0870 241 2283
Telephone:   +44 (0)20 7836 2883
Fax: +44 (0)20 7836 2886


www.BuildOnline.com
'Save Time, BuildOnline'



This email and any files transmitted are confidential and intended
solely for the use of the individual or entity to which they are
addressed. If you have received this email in error, please notify
BuildOnline: Tel: +44 (0)20 7836 2883

**

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

security constraint & web.xml

2003-06-14 Thread Euan Guttridge

The security constraint I am adding is screwing up my web.xml. After adding
the contraint tomcat cannot find my taglibs. Any ideas? (web.xml below) 

Thanks,
Euan






http://java.sun.com/dtd/web-app_2_3.dtd";>


  
  TestOnline
  
 Build of Test
  
 
   
webmaster
[EMAIL PROTECTED]

The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.
  
  

   

test1
/jsp/admin/test1/*


test1-user

   

  

test2
/jsp/admin/test2/*


test2-user

  

  
BASIC
test1
test2
   
   
   
  
User
com.test.user.UserServlet
  
  
  
  
  User
  /ProjectsOnline
  
 
  
30

  
  
  
  
/archtaglib
/WEB-INF/lib/archtaglib.jar
  
  
/distributiontaglib
/WEB-INF/lib/distributiontaglib.jar
  
  
/formstaglib
/WEB-INF/lib/formstaglib.jar
  
  
/localtaglib
/WEB-INF/lib/localtaglib.jar
  
  
/navigationtaglib
/WEB-INF/lib/navigationtaglib.jar
  
  
/summarytaglib
/WEB-INF/lib/summarytaglib.jar
  
  




Euan Guttridge 
Technical Operations 
BuildOnline 
40 Holborn Viaduct 
London 
EC1N 2PB 
UK Customer Services:  0870 241 2283 
Telephone:   +44 (0)20 7836 2883 
Fax: +44 (0)20 7836 2886 


www.BuildOnline.com 
'Save Time, BuildOnline' 



This email and any files transmitted are confidential and intended 
solely for the use of the individual or entity to which they are 
addressed. If you have received this email in error, please notify 
BuildOnline: Tel: +44 (0)20 7836 2883 

** 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Remove role from security constraint?

2003-04-02 Thread Boris Folgmann

Hi!

Does anybody know a method to remove a role from a security constraint
during runtime? I need this for disabling logins for ordinary users during
special maintenance inside the application.

cu,
boris

-- 
Dipl.-Inf. Boris Folgmann   mailto:[EMAIL PROTECTED]
Folgmann IT-Consulting  http://www.folgmann.de


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat and security-constraint

2003-04-02 Thread Giorgio Ponza

Hi all
My conf:
Tomcat 4.1.18 LE JDK1.4
Apache 2.0.44 with openssl
mod_jk

I want to secure a JSP page, but not with authentication, only with HTTPS
support.
So i added the lines in WEB.XML


  
  Test securing JSP pages
  Test securing JSP pages
  /jsp/users/*.jsp
  
   
   CONFIDENTIAL
   


but Tomcat logs says: # No Realm has been configured to authenticate
against
So i uncommented MemoryRealm (i think is not the right Realm)
and it now says
ContextConfig[]: Configured an authenticator for method NONE

and obviously the pages in /jsp/users continue to use simple HTTP transport
protocol

Can anyone tell me what i have to configure, or which Realm i have to use ?
Tx in advance

Giorgio Ponza



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: R: Bypassing security-constraint in 4.0.2

2003-03-04 Thread Paul Downs

* Simone Chiaretta ([EMAIL PROTECTED]) wrote :
> Don't know
> probably it's bug of 4.0.2
> it's a very old release... I've 4.0.4, I tried bypassing the security to
> test if I'm affected too
> but it always ask me authentication
> 
> I suggest that u upgrade to a newer release of the server

Hi,
  Sadly that has severe implications for me in this instance.  Oh well I
have replaced all the sites affected with .htaccess authentication for now.
Does anyone know what jar file controls this?  Perhaps I can use a really
kludgy fix for now by just upgrading the one aspect?

Paul

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

R: Bypassing security-constraint in 4.0.2

2003-03-04 Thread Simone Chiaretta

Don't know
probably it's bug of 4.0.2
it's a very old release... I've 4.0.4, I tried bypassing the security to
test if I'm affected too
but it always ask me authentication

I suggest that u upgrade to a newer release of the server
Simone

> -Messaggio originale-
> Da: Paul Downs [mailto:[EMAIL PROTECTED]
> Inviato: martedi 4 marzo 2003 12.03
> A: Tomcat Users List
> Oggetto: Bypassing security-constraint in 4.0.2
>
>
>
> Hi,
>   If I have the following configuration:
>
> 
>   
> site
> /secret/*
>   
>   
> administrator
>   
> 
>
>   I get prompted for a username and password for this url:
>
> www.testing.com/secret/
>
>   but not for this:
>
> www.testing.com//secret
>
>   was this a known bug, I couldn't find much about it and thought
> it may be
> quicker to ask you guys?
>
> Paul
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Bypassing security-constraint in 4.0.2

2003-03-04 Thread Paul Downs


Hi,
  If I have the following configuration:


  
site
/secret/*
  
  
administrator
  


  I get prompted for a username and password for this url:

www.testing.com/secret/
  
  but not for this:

www.testing.com//secret

  was this a known bug, I couldn't find much about it and thought it may be
quicker to ask you guys?

Paul

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed

2003-02-10 Thread Sean Dockery

It seems unlikely that IIS would arbitrarily intercept a request that it has
been instructed to forward, but I do not know enough about integrating IIS
with Tomcat to know for sure.

Perhaps you can turn on the RequestDumper Value in Tomcat to see what
headers are being submitted when you access Tomcat through the standalone
port versus accessing Tomcat through IIS.  That might give you more
information that you have now.  :-)

Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

- Original Message -
From: "Felipe" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Monday, February 10, 2003 14:39
Subject: RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed


> Yes. I can authenticate through the tomcat standalone port.
> I am using the BASIC with a MemoryRealm.
> Everything as simple as it can get!
>
> Do you know if it is possible to have IIS to leave the authentication to
> tomcat?
>
> Thanks,
> Felipe
>
>
> -Original Message-
> From: Sean Dockery [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 10, 2003 3:50 PM
> To: Tomcat Users List
> Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed
>
> Can you authenticate through the Tomcat standalone port?  Or does that
> fail
> as well?
>
> What method of authentication are you using?  BASIC or DIGEST?  If you
> are
> currently using DIGEST, try BASIC (for testing purposes).
>
> What type of Realm are you authenticating against?  MemoryRealm, JDBC,
> or
> JNDI?
>
> Sean Dockery
> [EMAIL PROTECTED]
> Certified Java Web Component Developer
> Certified Delphi Programmer
> SBD Consultants
> http://www.sbdconsultants.com
>
> - Original Message -
> From: "Felipe" <[EMAIL PROTECTED]>
> To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> Sent: Monday, February 10, 2003 09:08
> Subject: RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed
>
>
> > Yes. I have defined the user, password and role and everything else
> needed
> > to make it work on tomcat. What seems to be the problem is that IIS is
> > trying to authenticate the user by itself instead of forwarding the
> > user/password information to tomcat. (It allow me to try 3 times and
> then
> > give me the "Unauthorized: Logon Failed" error page regardless the
> valid
> > user and password).
> >
> > I know the ISAPI filter is working because if I remove the security
> > constraint from tomcat I can get to it and I know the tomcat security
> > constraint is working because if I can get to it using the "stand
> alone"
> > port.
> >
> > Have you seen this scenario working before? I found some posts with
> this
> > issue but no reply to any of them.
> >
> > Thanks,
> > Felipe
> >
> >
> >
> > -Original Message-
> > From: Sean Dockery [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, February 10, 2003 8:05 AM
> > To: Tomcat Users List
> > Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon
> Failed
> >
> > Where have you defined the user and password that you believe you
> should
> be
> > a valid user?  What is the role constraint that you have defined on
> the
> web
> > resource?  Is the user in question set up for that role?
> >
> > Sean Dockery
> > [EMAIL PROTECTED]
> > Certified Java Web Component Developer
> > Certified Delphi Programmer
> > SBD Consultants
> > http://www.sbdconsultants.com
> >
> > - Original Message -
> > From: "Felipe Crochik" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Sunday, February 09, 2003 21:34
> > Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed
> >
> >
> > > I am trying to use the tomcat security constraints "behind" an IIS
> web
> > > server. I know tomcat and the ISAPI filter are working. Also, Tomcat
> > > authorization is working bypassing IIS using port 8080.
> > >
> > > When I try to reach the exactly same application through IIS (port
> 80) I
> > > get the user validation dialog box and after I try to login with a
> valid
> > > user and password I get HTTP 401.1 - Unauthorized: Logon Failed.
> > >
> > > TIA,
> > > Felipe
> > >
> >
> >
> >
> > -
> > To unsubscribe, e-mail: [EMA

RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed

2003-02-10 Thread Felipe

Yes. I can authenticate through the tomcat standalone port.
I am using the BASIC with a MemoryRealm. 
Everything as simple as it can get!

Do you know if it is possible to have IIS to leave the authentication to
tomcat?

Thanks, 
Felipe


-Original Message-
From: Sean Dockery [mailto:[EMAIL PROTECTED]] 
Sent: Monday, February 10, 2003 3:50 PM
To: Tomcat Users List
Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed

Can you authenticate through the Tomcat standalone port?  Or does that
fail
as well?

What method of authentication are you using?  BASIC or DIGEST?  If you
are
currently using DIGEST, try BASIC (for testing purposes).

What type of Realm are you authenticating against?  MemoryRealm, JDBC,
or
JNDI?

Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

- Original Message -
From: "Felipe" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Monday, February 10, 2003 09:08
Subject: RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed


> Yes. I have defined the user, password and role and everything else
needed
> to make it work on tomcat. What seems to be the problem is that IIS is
> trying to authenticate the user by itself instead of forwarding the
> user/password information to tomcat. (It allow me to try 3 times and
then
> give me the "Unauthorized: Logon Failed" error page regardless the
valid
> user and password).
>
> I know the ISAPI filter is working because if I remove the security
> constraint from tomcat I can get to it and I know the tomcat security
> constraint is working because if I can get to it using the "stand
alone"
> port.
>
> Have you seen this scenario working before? I found some posts with
this
> issue but no reply to any of them.
>
> Thanks,
> Felipe
>
>
>
> -Original Message-
> From: Sean Dockery [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 10, 2003 8:05 AM
> To: Tomcat Users List
> Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon
Failed
>
> Where have you defined the user and password that you believe you
should
be
> a valid user?  What is the role constraint that you have defined on
the
web
> resource?  Is the user in question set up for that role?
>
> Sean Dockery
> [EMAIL PROTECTED]
> Certified Java Web Component Developer
> Certified Delphi Programmer
> SBD Consultants
> http://www.sbdconsultants.com
>
> - Original Message -
> From: "Felipe Crochik" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday, February 09, 2003 21:34
> Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed
>
>
> > I am trying to use the tomcat security constraints "behind" an IIS
web
> > server. I know tomcat and the ISAPI filter are working. Also, Tomcat
> > authorization is working bypassing IIS using port 8080.
> >
> > When I try to reach the exactly same application through IIS (port
80) I
> > get the user validation dialog box and after I try to login with a
valid
> > user and password I get HTTP 401.1 - Unauthorized: Logon Failed.
> >
> > TIA,
> > Felipe
> >
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>







> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed

2003-02-10 Thread Sean Dockery

Can you authenticate through the Tomcat standalone port?  Or does that fail
as well?

What method of authentication are you using?  BASIC or DIGEST?  If you are
currently using DIGEST, try BASIC (for testing purposes).

What type of Realm are you authenticating against?  MemoryRealm, JDBC, or
JNDI?

Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

- Original Message -
From: "Felipe" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Monday, February 10, 2003 09:08
Subject: RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed


> Yes. I have defined the user, password and role and everything else needed
> to make it work on tomcat. What seems to be the problem is that IIS is
> trying to authenticate the user by itself instead of forwarding the
> user/password information to tomcat. (It allow me to try 3 times and then
> give me the "Unauthorized: Logon Failed" error page regardless the valid
> user and password).
>
> I know the ISAPI filter is working because if I remove the security
> constraint from tomcat I can get to it and I know the tomcat security
> constraint is working because if I can get to it using the "stand alone"
> port.
>
> Have you seen this scenario working before? I found some posts with this
> issue but no reply to any of them.
>
> Thanks,
> Felipe
>
>
>
> -Original Message-
> From: Sean Dockery [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 10, 2003 8:05 AM
> To: Tomcat Users List
> Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed
>
> Where have you defined the user and password that you believe you should
be
> a valid user?  What is the role constraint that you have defined on the
web
> resource?  Is the user in question set up for that role?
>
> Sean Dockery
> [EMAIL PROTECTED]
> Certified Java Web Component Developer
> Certified Delphi Programmer
> SBD Consultants
> http://www.sbdconsultants.com
>
> - Original Message -
> From: "Felipe Crochik" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday, February 09, 2003 21:34
> Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed
>
>
> > I am trying to use the tomcat security constraints "behind" an IIS web
> > server. I know tomcat and the ISAPI filter are working. Also, Tomcat
> > authorization is working bypassing IIS using port 8080.
> >
> > When I try to reach the exactly same application through IIS (port 80) I
> > get the user validation dialog box and after I try to login with a valid
> > user and password I get HTTP 401.1 - Unauthorized: Logon Failed.
> >
> > TIA,
> > Felipe
> >
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>






> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed

2003-02-10 Thread Felipe

Yes. I have defined the user, password and role and everything else needed
to make it work on tomcat. What seems to be the problem is that IIS is
trying to authenticate the user by itself instead of forwarding the
user/password information to tomcat. (It allow me to try 3 times and then
give me the "Unauthorized: Logon Failed" error page regardless the valid
user and password).

I know the ISAPI filter is working because if I remove the security
constraint from tomcat I can get to it and I know the tomcat security
constraint is working because if I can get to it using the "stand alone"
port.

Have you seen this scenario working before? I found some posts with this
issue but no reply to any of them.

Thanks, 
Felipe



-Original Message-
From: Sean Dockery [mailto:[EMAIL PROTECTED]] 
Sent: Monday, February 10, 2003 8:05 AM
To: Tomcat Users List
Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed

Where have you defined the user and password that you believe you should be
a valid user?  What is the role constraint that you have defined on the web
resource?  Is the user in question set up for that role?

Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

- Original Message -
From: "Felipe Crochik" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, February 09, 2003 21:34
Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed


> I am trying to use the tomcat security constraints "behind" an IIS web
> server. I know tomcat and the ISAPI filter are working. Also, Tomcat
> authorization is working bypassing IIS using port 8080.
>
> When I try to reach the exactly same application through IIS (port 80) I
> get the user validation dialog box and after I try to login with a valid
> user and password I get HTTP 401.1 - Unauthorized: Logon Failed.
>
> TIA,
> Felipe
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed

2003-02-10 Thread Sean Dockery

Where have you defined the user and password that you believe you should be
a valid user?  What is the role constraint that you have defined on the web
resource?  Is the user in question set up for that role?

Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

- Original Message -
From: "Felipe Crochik" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, February 09, 2003 21:34
Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed


> I am trying to use the tomcat security constraints "behind" an IIS web
> server. I know tomcat and the ISAPI filter are working. Also, Tomcat
> authorization is working bypassing IIS using port 8080.
>
> When I try to reach the exactly same application through IIS (port 80) I
> get the user validation dialog box and after I try to login with a valid
> user and password I get HTTP 401.1 - Unauthorized: Logon Failed.
>
> TIA,
> Felipe
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

IIS+Tomcat security constraint = Unauthorized: Logon Failed

2003-02-09 Thread Felipe Crochik

I am trying to use the tomcat security constraints "behind" an IIS web
server. I know tomcat and the ISAPI filter are working. Also, Tomcat
authorization is working bypassing IIS using port 8080.
 
When I try to reach the exactly same application through IIS (port 80) I
get the user validation dialog box and after I try to login with a valid
user and password I get HTTP 401.1 - Unauthorized: Logon Failed.
 
TIA,
Felipe

RE: Security constraint problem with v4.1.18

2002-12-28 Thread mech

Hi Peter,

I think we need more info to help.

Your web.xml update looks okay to me. Double check with
\tomcat\webapps\examples\WEB-INF\web.xml as it also uses a protected
area.

What authorization scheme do you use: form-based, basic auth ?
If form-based send the corresponding parts of your web.xml and info
about the directory structure of your login components

What browser do you use? IE? I'm asking because of a weird problem:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13861 
(if you can confirm this, subscribe, vote, I'm trying to find a
workaround for this problem, although I won't start patching... I think
this problem is somehow connected to requiring "roles", without that
"confidential" seems to work... Strange... I'll keep an eye on that)

What ports is Tomcat running on? 8080/8443 or 80/443?

What does "not work" mean? Error messages, what happens, what doesn't
happen, what should happen?


Michael

> -Original Message-
> From: Peter Lee [mailto:[EMAIL PROTECTED]] 
> Sent: Freitag, 27. Dezember 2002 21:22
> To: [EMAIL PROTECTED]
> Subject: RE: Security constraint problem with v4.1.18
> 
> 
> On 25 Dec 2002 at 13:30, mech wrote:
> 
> > I cannot tell if there's a difference between 4.1.12 and 
> 4.1.18 as I'm 
> > still using 4.1.15.
> > 
> > I would first change the url pattern to 
> > /protected/*
> > 
> 
> So, I changed it.
> 
> > Second add 
> > myrole
> > Tags under the document root for all roles you use. As far as I know
> > your s reference to these 
> s. I
> > never tried what happens if you don't specify these, too.
> > 
> 
> I also added 
> myrole under 
> the   tag in my web.xml file
> Is this the correct file?
> It still didn't work.
> 
> Thanks
> 
> > Mech
> > 
> > P.S. Merry Christmas!
> > 
> > > -Original Message-
> > > From: Peter Lee [mailto:[EMAIL PROTECTED]]
> > > Sent: Mittwoch, 25. Dezember 2002 00:01
> > > To: [EMAIL PROTECTED]
> > > Subject: Security constraint problem with v4.1.18
> > > 
> > > 
> > > I upgraded from 4.1.12 to 4.1.18, but I got some problems
> > > with security constraints. I have applied a security 
> > > constraint on a particular url pattern. Only certain users 
> > > with a special rolename can 
> > > access that link. It used to work but now the page does not 
> > > load with v4.1.18. Is SSL implemented differently after 
> > > v4.1.12 that prevents my application fromworking?
> > > 
> > > Is there any documentation on tomcat v4.1.18 SSL security stuff?
> > > 
> > > 
> > > Here is my security constraint in web.xml:
> > > 
> > >  
> > > 
> > >   SSLResource
> > >   /protected
> > > 
> > > 
> > >   myrole
> > > 
> > > 
> > >   CONFIDENTIAL
> > > 
> > >   
> > >  
> > > 
> > > 
> > > 
> > > 
> > > --
> > > To unsubscribe, e-mail:   
> > > <mailto:tomcat-user-> [EMAIL PROTECTED]>
> > > For
> > > additional commands, 
> > > e-mail: <mailto:[EMAIL PROTECTED]>
> > > 
> > 
> > 
> > --
> > To unsubscribe, e-mail:   
> <mailto:tomcat-user-> [EMAIL PROTECTED]>
> > For 
> additional commands, 
> e-mail: 
> > <mailto:[EMAIL PROTECTED]>
> > 
> 
> 


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Security constraint problem with v4.1.18

2002-12-25 Thread mech

I cannot tell if there's a difference between 4.1.12 and 4.1.18 as I'm
still using 4.1.15.

I would first change the url pattern to
/protected/*

Second add myrole
Tags under the document root for all roles you use. As far as I know
your s reference to these s. I
never tried what happens if you don't specify these, too.

Mech

P.S. Merry Christmas!

> -Original Message-
> From: Peter Lee [mailto:[EMAIL PROTECTED]] 
> Sent: Mittwoch, 25. Dezember 2002 00:01
> To: [EMAIL PROTECTED]
> Subject: Security constraint problem with v4.1.18
> 
> 
> I upgraded from 4.1.12 to 4.1.18, but I got some problems 
> with security constraints. I have applied a security 
> constraint on a particular url pattern. Only certain users 
> with a special rolename can 
> access that link. It used to work but now the page does not 
> load with v4.1.18. Is SSL implemented differently after 
> v4.1.12 that prevents my application fromworking?
> 
> Is there any documentation on tomcat v4.1.18 SSL security stuff?
> 
> 
> Here is my security constraint in web.xml:
> 
>  
> 
>   SSLResource
>   /protected
> 
> 
>   myrole
> 
> 
>   CONFIDENTIAL
> 
>   
>  
> 
> 
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:tomcat-user-> [EMAIL PROTECTED]>
> For 
> additional commands, 
> e-mail: <mailto:[EMAIL PROTECTED]>
> 


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Security constraint problem with v4.1.18

2002-12-24 Thread Peter Lee

I upgraded from 4.1.12 to 4.1.18, but I got some problems with security constraints.
I have applied a security constraint on a particular url pattern. Only certain users 
with a special rolename can 
access that link. It used to work but now the page does not load with v4.1.18.
Is SSL implemented differently after v4.1.12 that prevents my application fromworking?

Is there any documentation on tomcat v4.1.18 SSL security stuff?


Here is my security constraint in web.xml:

 

  SSLResource
  /protected


  myrole


  CONFIDENTIAL

  
 




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Security constraint problem with v4.1.18

2002-12-21 Thread Peter Lee

I upgraded from 4.1.12 to 4.1.18, but I got some problems with security constraints.
I have applied a security constraint on a particular url pattern. Only certain users 
with a special rolename can 
access that link. It used to work but now the page does not load with v4.1.18.
Is SSL implemented differently after v4.1.12 that prevents my application fromworking?

 

  SSLResource
  /protected


  myrole


  CONFIDENTIAL

  
 



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Security Constraint and Server.xml and Login Config

2002-09-26 Thread ed banfa



Hi ,

How is everyone doing, hope ok.

I have this problem with trying to use Basic authentication with my web app. I have 
Tomcat 4.1.10 up and running on win 2000 machine using j2sdk1.4.

Tomcat is listening on port 8443 for SSL connnections. I would like the browser to 
display a login box to the user when the user attempts to access a protected resource. 
When I try to check/test the app, It allows me into the restricted area with out 
having to log in. I expect to be promted to enter a user name and a password but hey 
nothing like thats happens. What am I doing wrong.

 

Please if u can help me out I will appreciate it

Below is what my web.xml looks like. The manager role is the same role name I 
specified in tomcat-users.xml









Secure Area



/secure/*





manager

tomcat







manager





BASIC

User Basic Authentication





 

Thanks in advance 

Edward

 



-
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!

How to set up a security constraint?

2002-08-30 Thread Colic, Alex



Hi,

I have a web site with the following directory structure:

root/admin/sysop.

I only want certain people to have access to the admin section and only
other people to have access to the sysop section.

I have created two users in the  tomcat-users.xml file:

  
  
  
  

In the server.xml file I have uncommented the:

 line.

Then in the web.xml file I have added the following:

  

Admin Pages
/admin
 

admin

   

  

Sysop Pages
/admin/sysop/*
 

sysop

   

   
BASIC
Admin Pages
   

   
BASIC
Sysop Pages
   

This is where my problem is. User admin and sysop can access both the admin
and the sysop sections. I must have set the security constraint incorrect.
Can someone please point out what is wrong.

Thanks

Alex


--
This e-mail may be privileged and/or confidential, and the sender does not waive any 
related rights and obligations. Any distribution, use or copying of this e-mail or the 
information it contains by other than an intended recipient is unauthorized. If you 
received this e-mail in error, please advise me (by return e-mail or otherwise) 
immediately. 

Ce courriel est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et 
obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou 
des renseignements qu'il contient par une personne autre que le (les) destinataire(s) 
désigné(s) est interdite. Si vous recevez ce courriel par erreur, veuillez m'en aviser 
immédiatement, par retour de courriel ou par un autre moyen. 


==

Re: Security Constraint in web.xml

2002-08-16 Thread V. Cekvenich


There is a sample basicPortal.sourceforge.net that does this, you can 
look at source code... and there is deployment docs.

v.

Kevin Andryc wrote:
> I was wondering how I can only protect certain classes in my application.
> For example, if someone tries to access a servlet (i.e.:
> http://localhost:8080/test/servlet/foo) then a login page comes up and the
> person has to sign in. But, if the person tries to access a different
> servlet (i.e.: http://localhost:8080/test/servlet/bar) then no login page
> appears. Can this be done in the security constraint in my web.xml? If so,
> how? I have tried before and keep getting errors!
> 
> Thanks,
> Kevin
> 
> Kevin Andryc
> Web Systems Engineer
> MISER
> http://www.umass.edu/miser/
> Phone: (413)-545-3460
> [EMAIL PROTECTED]
> 
> 
> 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> 
> 



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Security Constraint in web.xml

2002-08-16 Thread Kevin Andryc


I was wondering how I can only protect certain classes in my application.
For example, if someone tries to access a servlet (i.e.:
http://localhost:8080/test/servlet/foo) then a login page comes up and the
person has to sign in. But, if the person tries to access a different
servlet (i.e.: http://localhost:8080/test/servlet/bar) then no login page
appears. Can this be done in the security constraint in my web.xml? If so,
how? I have tried before and keep getting errors!

Thanks,
Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]





--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: web.xml security-constraint bug?

2002-08-02 Thread Tony_Chao

Is this something that's planned to be fixed in Tomcat 3.3?

I'd be willing to help work on a fix if necessary.

-Tony

On Thu, 1 Aug 2002 [EMAIL PROTECTED] wrote:

> Date: Thu, 1 Aug 2002 18:15:17 -0400
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: web.xml security-constraint bug?
>
> i noticed that if you add the url-pattern /* as a web-resource-collection
> in a security constraint
> and you use FORM auth-method for login-config
>
> if form-login-page is included in the same webapp, there seems to be an
> endless loop.
>

Not if the container is designed correctly.  Tomcat 4, at least, deals
with this situation just fine, because it doesn't try to apply the
constraint against the form login page or form error page.

> is there anyway to specify an url-pattern that includes all except
> login.jsp?
>
> thanks
>
> -Tony

Craig

--
To unsubscribe, e-mail:   <
mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <
mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: web.xml security-constraint bug?

2002-08-01 Thread Craig R. McClanahan




On Thu, 1 Aug 2002 [EMAIL PROTECTED] wrote:

> Date: Thu, 1 Aug 2002 18:15:17 -0400
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: web.xml security-constraint bug?
>
> i noticed that if you add the url-pattern /* as a web-resource-collection
> in a security constraint
> and you use FORM auth-method for login-config
>
> if form-login-page is included in the same webapp, there seems to be an
> endless loop.
>

Not if the container is designed correctly.  Tomcat 4, at least, deals
with this situation just fine, because it doesn't try to apply the
constraint against the form login page or form error page.

> is there anyway to specify an url-pattern that includes all except
> login.jsp?
>
> thanks
>
> -Tony

Craig


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

web.xml security-constraint bug?

2002-08-01 Thread Tony_Chao


i noticed that if you add the url-pattern /* as a web-resource-collection
in a security constraint
and you use FORM auth-method for login-config

if form-login-page is included in the same webapp, there seems to be an
endless loop.

is there anyway to specify an url-pattern that includes all except
login.jsp?

thanks

-Tony



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: mod_jk - not honoring security constraint

2002-07-10 Thread Eddie Bush

LOL - nevermind!  I'm stupid - that's my problem.  Tomcat doens't 
protect html files - and that's all there really is in the docs!  Duh! 
 All I did was prove that Apache is doing what it should do.  ... which 
is what the logfiles told me - but I've been staring at this so long ... 
well, I think you get the idea =)

FALSE ALARM - Sorry about that =/

Eddie

Eddie Bush wrote:

> Tomcat 4.0.4 - Apache 1.3.23
>
> I got everything "working" (I thought) and then set up a BASIC auth on 
> the entire /tomcat-docs/* path.  It happily serves it without making 
> me login.  Is this me or mod_jk?
>
> Thanks,
>
> Eddie
>
>
> -- 
> To unsubscribe, e-mail:   
> 
> For additional commands, e-mail: 
> 
>
>

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

mod_jk - not honoring security constraint

2002-07-10 Thread Eddie Bush


Tomcat 4.0.4 - Apache 1.3.23

I got everything "working" (I thought) and then set up a BASIC auth on 
the entire /tomcat-docs/* path.  It happily serves it without making me 
login.  Is this me or mod_jk?

Thanks,

Eddie


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: More complex security-constraint options

2002-05-05 Thread Joel Baker


Yup, I'm going to do 'A'. Much more sensible. Thanks. :D

""Abraham Fathman"" <[EMAIL PROTECTED]> wrote in message
news:<014701c1f3f2$48011430$8a56e20a@pcg>...
| Joel,
|
| You could:
|
| A) Setup a servlet that just included this jsp's.
| B) I don't know if this would work but list the other jsp's in a
| separate security-constraint giving everyone access to these jsps... (I
| don't know if this is possible - I would do A - it better follows
| MVC...)
|
| -Original Message-
| From: Joel Baker [mailto:[EMAIL PROTECTED]]
| Sent: Sunday, May 05, 2002 12:55 AM
| To: [EMAIL PROTECTED]
| Subject: Re: More complex security-constraint options
|
|
| I want to restrict all of /*.jsp except a few jsp files that are used
| for logging on and such. I currently have a security-constraint doing
| this (restricting access to
| *.jsp) but of course I can't find any way of allowing the few jsps I
| want to publically allow.
|
| Joel.
|
| ""Abraham Fathman"" <[EMAIL PROTECTED]> wrote in message
| news:<013c01c1f3ec$2bc49720$8a56e20a@pcg>...
| | Joel,
| |
| | Setup a  in the web.xml that includes the url that
|
| | you want to restrict.
| |
| |
| | -Original Message-
| | From: Joel Baker [mailto:[EMAIL PROTECTED]]
| | Sent: Saturday, May 04, 2002 10:24 PM
| | To: [EMAIL PROTECTED]
| | Subject: More complex security-constraint options
| |
| |
| | Hi all,
| |
| | I'm trying to create a web application that imposes a security
| | constraint on all but a few of the JSP pages. I don't want to split up
|
| | the application putting the non-public stuff in a private directory
| | and only applying the security-constraint to this, as this isn't as
| | elegant as the solution I would ideally like as I want the root of the
|
| | webapp to be the root for a logged in user, not for them to go to some
|
| | directory within the webapp.
| |
| | Basically, is there a way to refine the security constraints
| | url-pattern tag to allow excluding certain files or directories?
| |
| | Thanks in advance,
| |
| | Joel Baker.
| |
| |
| | --
| | To unsubscribe:   <mailto:[EMAIL PROTECTED]>
| | For additional commands: <mailto:[EMAIL PROTECTED]>
| | Troubles with the list: <mailto:[EMAIL PROTECTED]>
| |
| |
|
|
| --
| To unsubscribe:   <mailto:[EMAIL PROTECTED]>
| For additional commands: <mailto:[EMAIL PROTECTED]>
| Troubles with the list: <mailto:[EMAIL PROTECTED]>
|
|


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

RE: More complex security-constraint options

2002-05-04 Thread Abraham Fathman


Joel,

You could:

A) Setup a servlet that just included this jsp's. 
B) I don't know if this would work but list the other jsp's in a
separate security-constraint giving everyone access to these jsps... (I
don't know if this is possible - I would do A - it better follows
MVC...)

-Original Message-
From: Joel Baker [mailto:[EMAIL PROTECTED]] 
Sent: Sunday, May 05, 2002 12:55 AM
To: [EMAIL PROTECTED]
Subject: Re: More complex security-constraint options


I want to restrict all of /*.jsp except a few jsp files that are used
for logging on and such. I currently have a security-constraint doing
this (restricting access to
*.jsp) but of course I can't find any way of allowing the few jsps I
want to publically allow.

Joel.

""Abraham Fathman"" <[EMAIL PROTECTED]> wrote in message
news:<013c01c1f3ec$2bc49720$8a56e20a@pcg>...
| Joel,
|
| Setup a  in the web.xml that includes the url that

| you want to restrict.
|
|
| -Original Message-
| From: Joel Baker [mailto:[EMAIL PROTECTED]]
| Sent: Saturday, May 04, 2002 10:24 PM
| To: [EMAIL PROTECTED]
| Subject: More complex security-constraint options
|
|
| Hi all,
|
| I'm trying to create a web application that imposes a security 
| constraint on all but a few of the JSP pages. I don't want to split up

| the application putting the non-public stuff in a private directory 
| and only applying the security-constraint to this, as this isn't as 
| elegant as the solution I would ideally like as I want the root of the

| webapp to be the root for a logged in user, not for them to go to some

| directory within the webapp.
|
| Basically, is there a way to refine the security constraints 
| url-pattern tag to allow excluding certain files or directories?
|
| Thanks in advance,
|
| Joel Baker.
|
|
| --
| To unsubscribe:   <mailto:[EMAIL PROTECTED]>
| For additional commands: <mailto:[EMAIL PROTECTED]>
| Troubles with the list: <mailto:[EMAIL PROTECTED]>
|
|


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>



--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: More complex security-constraint options

2002-05-04 Thread Joel Baker


I want to restrict all of /*.jsp except a few jsp files that are used for
logging on and such.
I currently have a security-constraint doing this (restricting access to
*.jsp) but of course I can't find any way of allowing the few jsps I want to
publically allow.

Joel.

""Abraham Fathman"" <[EMAIL PROTECTED]> wrote in message
news:<013c01c1f3ec$2bc49720$8a56e20a@pcg>...
| Joel,
|
| Setup a  in the web.xml that includes the url that
| you want to restrict.
|
|
| -Original Message-
| From: Joel Baker [mailto:[EMAIL PROTECTED]]
| Sent: Saturday, May 04, 2002 10:24 PM
| To: [EMAIL PROTECTED]
| Subject: More complex security-constraint options
|
|
| Hi all,
|
| I'm trying to create a web application that imposes a security
| constraint on all but a few of the JSP pages. I don't want to split up
| the application putting the non-public stuff in a private directory and
| only applying the security-constraint to this, as this isn't as elegant
| as the solution I would ideally like as I want the root of the webapp to
| be the root for a logged in user, not for them to go to some directory
| within the webapp.
|
| Basically, is there a way to refine the security constraints url-pattern
| tag to allow excluding certain files or directories?
|
| Thanks in advance,
|
| Joel Baker.
|
|
| --
| To unsubscribe:   <mailto:[EMAIL PROTECTED]>
| For additional commands: <mailto:[EMAIL PROTECTED]>
| Troubles with the list: <mailto:[EMAIL PROTECTED]>
|
|


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

RE: More complex security-constraint options

2002-05-04 Thread Abraham Fathman


Joel,

Setup a  in the web.xml that includes the url that
you want to restrict. 


-Original Message-
From: Joel Baker [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, May 04, 2002 10:24 PM
To: [EMAIL PROTECTED]
Subject: More complex security-constraint options


Hi all,

I'm trying to create a web application that imposes a security
constraint on all but a few of the JSP pages. I don't want to split up
the application putting the non-public stuff in a private directory and
only applying the security-constraint to this, as this isn't as elegant
as the solution I would ideally like as I want the root of the webapp to
be the root for a logged in user, not for them to go to some directory
within the webapp.

Basically, is there a way to refine the security constraints url-pattern
tag to allow excluding certain files or directories?

Thanks in advance,

Joel Baker.


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>



--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

More complex security-constraint options

2002-05-04 Thread Joel Baker


Hi all,

I'm trying to create a web application that imposes a security constraint on
all but a few of the JSP pages.
I don't want to split up the application putting the non-public stuff in a
private directory and only applying the security-constraint to this, as this
isn't as elegant as the solution I would ideally like as I want the root of
the webapp to be the root for a logged in user, not for them to go to some
directory within the webapp.

Basically, is there a way to refine the security constraints url-pattern tag
to allow excluding certain files or directories?

Thanks in advance,

Joel Baker.


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

RE: HELP! BASIC authentication and security-constraint issue, 3.2.3

2002-04-30 Thread Roland Chan

Sorry, my tomcat-users.xml should read:

-Original Message-
From: Roland Chan [mailto:[EMAIL PROTECTED]] 
Sent: April 30, 2002 1:06 PM
To: '[EMAIL PROTECTED]'
Subject: HELP! BASIC authentication and security-constraint issue, 3.2.3

Hello,

I'm having an issue with testing BASIC authentication with 3.2.3.
Althought the window prompting for username and password appear,
regardless of the values it always allows access to the requested page.
Can anyone point me in the right direction.  I am currently using JBOSS
with embedded tomcat 3.2.3, but have also tried this on standalone
3.2.3.  Is this just a version problem?  Here are the relevant contents
of my web.xml:

 ABC
 /*

 abc

  BASIC
  ABCRealm

My tomcat-users.xml:

Your help is appreciated!  Thanks!

HELP! BASIC authentication and security-constraint issue, 3.2.3

2002-04-30 Thread Roland Chan


Hello,
 
I'm having an issue with testing BASIC authentication with 3.2.3.
Althought the window prompting for username and password appear,
regardless of the values it always allows access to the requested page.
Can anyone point me in the right direction.  I am currently using JBOSS
with embedded tomcat 3.2.3, but have also tried this on standalone
3.2.3.  Is this just a version problem?  Here are the relevant contents
of my web.xml:
 
   
  
 ABC
 /*
  
  
 abc
  
   
   
  BASIC
  ABCRealm
   
 
My tomcat-users.xml:
 

 
Your help is appreciated!  Thanks!

RE: SingleSignOn Or Security Constraint ?

2002-04-18 Thread Renato Romano

That's right. But what I actually mean is: what are the differences
between 1) defining two protected areas in ONE web-app, using TWO
security constraint, and 2) defining TWO web-app, using single-sign-on
(which actually is not defined in web.xml, but in the server config file
server.xml)  with each ONE security constraint ?
I think the point is that using single-sign-on implies sharing of the
Realm class used to authenticate the users, and thus, at least in my
environment, using the same database of users and roles, so it seems to
me that there is no great difference...

Renato

Renato Romano
Sistemi e Telematica S.p.A.
Calata Grazie - Vial Al Molo Giano
16127 - GENOVA

e-mail: [EMAIL PROTECTED]
Tel.:   010 2712603
_

-Original Message-
From: Dan K. [mailto:[EMAIL PROTECTED]] 
Sent: giovedì 18 aprile 2002 18.33
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: Re: SingleSignOn Or Security Constraint ?

Hi,

Correct me if I'm not thinking straight but doesn't the Single Sign-on
and Security Constraint in the web.xml file do different things?  The
single sign-on allows the user to remained logged in while traversing
different webapps and the Security Constraint determines who has access
to the webapp.

Regards,
Dan

On Thu, 18 Apr 2002, Renato Romano wrote:

> I just configured Single Sign on on my Tomcat4 server, and was just 
> wondering what's the best way to chose, when I have to add a new 
> service to my site, if just adding  a security constraint, in my main 
> Context, or configuring and using single signon, for achieving the 
> same result!
>
> It seems to me that using singlesignon has the following advantages:
> 1) I create a service as a standalone application, that can then be 
> deployed elsewhere;
> 2) I don't have to restart Tomcat in order to deploy/restart the new 
> service, or making it temporary unavailable, thanks to the manager 
> application;
> 3) I can continue sharing java classes, by putting them in the 
> "common" dir;
> 4) In my situation, obviously, a centralized database of users and 
> roles is ok; different context on tomcat, in my environment, should 
> only appear as different "services" or "roles", just similar to 
> defining new security constraints.
>
> I have not investigated too much on this topic, so the question is: is

> there something I don't see that can cause problems using single 
> signon in this way ? Has someone already had such a doubt and how 
> he/she solved it ?
>
> Thanks
> Renato
>
> 
> Renato Romano
> Sistemi e Telematica S.p.A.
> Calata Grazie - Vial Al Molo Giano
> 16127 - GENOVA
>
> e-mail: [EMAIL PROTECTED]
> Tel.:   010 2712603
> _
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Converted: Re: SingleSignOn Or Security Constraint ?

2002-04-18 Thread Jorge Valenzuela S.


The documents converted by Doc2pdf version 0.6.1a

Doc2pdf is OpenSource Software written by Matthew Peterson.  For more 
information please see http://doc2pdf.sourceforge.net

Could not find any convertable attachments.  If you are sure that you 
did indeed attach a file to convert, please report a Doc2pdf bug by 
by sending EXACTLY the same email to [EMAIL PROTECTED] with the
the the string "doc2pdf bug" in the subject line.

Before reporting a bug, please note: 

- Doc2pdf only converts attachments that are sent as part of MIME messages
  Some mailers do not send MIME format
- Doc2pdf can not convert password protected documents (it doesn't know 
  the password).


 Original Message 





--
To unsubscribe:   
For additional commands: 
Troubles with the list:

Re: SingleSignOn Or Security Constraint ?

2002-04-18 Thread Dan K.



Hi,

Correct me if I'm not thinking straight but doesn't the Single Sign-on and
Security Constraint in the web.xml file do different things?  The single
sign-on allows the user to remained logged in while traversing different
webapps and the Security Constraint determines who has access to the
webapp.

Regards,
Dan

On Thu, 18 Apr 2002, Renato Romano wrote:

> I just configured Single Sign on on my Tomcat4 server, and was just
> wondering what's the best way to chose, when I have to add a new service
> to my site, if just adding  a security constraint, in my main Context,
> or configuring and using single signon, for achieving the same result!
>
> It seems to me that using singlesignon has the following advantages:
> 1) I create a service as a standalone application, that can then be
> deployed elsewhere;
> 2) I don't have to restart Tomcat in order to deploy/restart the new
> service, or making it temporary unavailable, thanks to the manager
> application;
> 3) I can continue sharing java classes, by putting them in the "common"
> dir;
> 4) In my situation, obviously, a centralized database of users and roles
> is ok; different context on tomcat, in my environment, should only
> appear as different "services" or "roles", just similar to defining new
> security constraints.
>
> I have not investigated too much on this topic, so the question is: is
> there something I don't see that can cause problems using single signon
> in this way ? Has someone already had such a doubt and how he/she solved
> it ?
>
> Thanks
> Renato
>
> 
> Renato Romano
> Sistemi e Telematica S.p.A.
> Calata Grazie - Vial Al Molo Giano
> 16127 - GENOVA
>
> e-mail: [EMAIL PROTECTED]
> Tel.:   010 2712603
> _
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

SingleSignOn Or Security Constraint ?

2002-04-18 Thread Renato Romano


I just configured Single Sign on on my Tomcat4 server, and was just
wondering what's the best way to chose, when I have to add a new service
to my site, if just adding  a security constraint, in my main Context,
or configuring and using single signon, for achieving the same result!

It seems to me that using singlesignon has the following advantages:
1) I create a service as a standalone application, that can then be
deployed elsewhere;
2) I don't have to restart Tomcat in order to deploy/restart the new
service, or making it temporary unavailable, thanks to the manager
application;
3) I can continue sharing java classes, by putting them in the "common"
dir;
4) In my situation, obviously, a centralized database of users and roles
is ok; different context on tomcat, in my environment, should only
appear as different "services" or "roles", just similar to defining new
security constraints.

I have not investigated too much on this topic, so the question is: is
there something I don't see that can cause problems using single signon
in this way ? Has someone already had such a doubt and how he/she solved
it ?

Thanks
Renato


Renato Romano
Sistemi e Telematica S.p.A.
Calata Grazie - Vial Al Molo Giano
16127 - GENOVA

e-mail: [EMAIL PROTECTED]
Tel.:   010 2712603
_


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: security-constraint and error-page

2002-03-18 Thread rsequeira



Thanks Craig.

RS





"Craig R. McClanahan" <[EMAIL PROTECTED]> on 03/18/2002 11:40:51 AM

Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>

To:   Tomcat Users List <[EMAIL PROTECTED]>
cc:




On Mon, 18 Mar 2002 [EMAIL PROTECTED] wrote:

> Date: Mon, 18 Mar 2002 08:44:56 -0600
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: security-constraint and error-page
>
>
> Thanks Craig. But I was wondering if there was some way where we could
> intercept the container generated 401 response before it is sent to the
> browser. And after a certain count, send a 200 OK response with some page
> describing that the user does not have access to that resource.
> Correct me if I'm wrong, but my understanding was that the number of
times
> the server responds with a 401 is dependent on the server (Tomcat, in our
> case). Or is it actually? Tomcat sends a 401 Unauthorized response twice
> (if the userid/password is incorrect) and after the third incorrect
> attempt, Tomcat sends a page back. Is the status code associated with the
> fourth response a "401 Unauthorized" still or is it some other code since
I
> thought if the browser receives a 401, it displays the login dialog box.
> According to the HTTP/1.1 rfc:
> "If the 401 response contains the same challenge as the prior response,
and
> the user agent has already attempted authentication at least once, then
the
> user SHOULD be presented the entity that was given in the response, since
> that entity MAY include relevant diagnostic information."
> With regards to the above quote, does this mean that the browser on
> receiving the fourth "401 Unauthorized" displays the page that came along
> with it?
>

You can intercept this, but you'll need to do it with Tomcat-specific
mechanisms (since authentication is happening before your application's
servlets are ever invoked).  Authentication is implemented by Valves
inside of Tomcat (very similar to Filters at the web application level),
so you can write and install a Valve of your own that is invoked before
authentication to do this kind of interception.

To get further, you'll need to download the Tomcat 4 source distribution
and look at the org.apache.catalina.Valve interface.

> Thanks.
> RS

Craig


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>









--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: security-constraint and error-page

2002-03-18 Thread Craig R. McClanahan




On Mon, 18 Mar 2002 [EMAIL PROTECTED] wrote:

> Date: Mon, 18 Mar 2002 08:44:56 -0600
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: security-constraint and error-page
>
>
> Thanks Craig. But I was wondering if there was some way where we could
> intercept the container generated 401 response before it is sent to the
> browser. And after a certain count, send a 200 OK response with some page
> describing that the user does not have access to that resource.
> Correct me if I'm wrong, but my understanding was that the number of times
> the server responds with a 401 is dependent on the server (Tomcat, in our
> case). Or is it actually? Tomcat sends a 401 Unauthorized response twice
> (if the userid/password is incorrect) and after the third incorrect
> attempt, Tomcat sends a page back. Is the status code associated with the
> fourth response a "401 Unauthorized" still or is it some other code since I
> thought if the browser receives a 401, it displays the login dialog box.
> According to the HTTP/1.1 rfc:
> "If the 401 response contains the same challenge as the prior response, and
> the user agent has already attempted authentication at least once, then the
> user SHOULD be presented the entity that was given in the response, since
> that entity MAY include relevant diagnostic information."
> With regards to the above quote, does this mean that the browser on
> receiving the fourth "401 Unauthorized" displays the page that came along
> with it?
>

You can intercept this, but you'll need to do it with Tomcat-specific
mechanisms (since authentication is happening before your application's
servlets are ever invoked).  Authentication is implemented by Valves
inside of Tomcat (very similar to Filters at the web application level),
so you can write and install a Valve of your own that is invoked before
authentication to do this kind of interception.

To get further, you'll need to download the Tomcat 4 source distribution
and look at the org.apache.catalina.Valve interface.

> Thanks.
> RS

Craig


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: security-constraint and error-page

2002-03-18 Thread rsequeira

Thanks Craig. But I was wondering if there was some way where we could
intercept the container generated 401 response before it is sent to the
browser. And after a certain count, send a 200 OK response with some page
describing that the user does not have access to that resource.
Correct me if I'm wrong, but my understanding was that the number of times
the server responds with a 401 is dependent on the server (Tomcat, in our
case). Or is it actually? Tomcat sends a 401 Unauthorized response twice
(if the userid/password is incorrect) and after the third incorrect
attempt, Tomcat sends a page back. Is the status code associated with the
fourth response a "401 Unauthorized" still or is it some other code since I
thought if the browser receives a 401, it displays the login dialog box.
According to the HTTP/1.1 rfc:
"If the 401 response contains the same challenge as the prior response, and
the user agent has already attempted authentication at least once, then the
user SHOULD be presented the entity that was given in the response, since
that entity MAY include relevant diagnostic information."
With regards to the above quote, does this mean that the browser on
receiving the fourth "401 Unauthorized" displays the page that came along
with it?

Thanks.
RS

"Craig R. McClanahan" <[EMAIL PROTECTED]> on 03/16/2002 04:16:31 PM

Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>

To:   Tomcat Users List <[EMAIL PROTECTED]>
cc:

Subject:  Re: security-constraint and error-page

On Sat, 16 Mar 2002 [EMAIL PROTECTED] wrote:

> Date: Sat, 16 Mar 2002 15:18:34 -0600
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: security-constraint and error-page
>
>
> HAFAIK, when the webserver responds with a 401 Unauthorized
error,
> the browser shows up an authentication dialog box. But since you have
> configured an 401 error page directive in the web.xml, I think Tomcat
> generates a 401 UnAuthorized response but then like a 404 custom error
page
> redirect,  it redirects to the notauthorized.jsp instead of sending a 401
> response to the client.
> I think what you desire is something like this (correct me if I'm wrong):
> Tomcat should send a 401 response atleast 3 times (or more) and then
> display a "You are Unauthorized" page back.
> I don't know how to do this in web.xml. Maybe writing a wrapper or filter
> would help. Need to check the code that does Basic Authentication. I
think
> it should have some clues. Craig McClanahan is the author of the code.
> Hopefully he throws some light on this topic. I know he's online :-)
>

:-)

Tomcat 4.0.1 had a problem with creating a custom error page for
container-generated status messages like a 401.  This was fixed in 4.0.2
and 4.0.3.

However, it's not going to do you any good if you are using BASIC
authentication -- browsers generally just pop up the login dialog box and
don't show the page that came along with it -- and there's nothing Tomcat
can do about that.  If you really want to control the look and feel of the
login page, you should use form-based authentication instead of BASIC.

> Thanks.
> RS

Craig

>
>
>
>
>
> [EMAIL PROTECTED] on 03/12/2002 09:33:47 PM
>
> Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>
>
> To:   [EMAIL PROTECTED]
> cc:
>
> Subject:  security-constraint and error-page
>
> I've setup a security constraint, with basic authentication, in a memory
> realm.  It works as expected until I add an error page for the 401 error
> code (unauthorized). Then, when I request the page, I get the 401 error
> page automatically and am never prompted to login.  I was expecting to
get
> the 401 error page only if I supplied an incorrect login.
>
> What am I doing wrong?  (Win2000pro, Tomcat 4.0.3, jdk 1.4)   Here is a
> portion of my web.xml:
>
>   
> 401
> /notauthorized.jsp
>   
>
>   
> 
>   BrawnerLau Website
>   /adminentry.jsp
> 
> 
>   brawnerlau
> 
>   
>
>   
> BASIC
> BrawnerLau Website
>   
>
>
> Thanks,
>
> Jason E. Brawner
> Silenus Group
> (248) 735-8077
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: security-constraint and error-page

2002-03-16 Thread Craig R. McClanahan




On Sat, 16 Mar 2002 [EMAIL PROTECTED] wrote:

> Date: Sat, 16 Mar 2002 15:18:34 -0600
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: security-constraint and error-page
>
>
> HAFAIK, when the webserver responds with a 401 Unauthorized error,
> the browser shows up an authentication dialog box. But since you have
> configured an 401 error page directive in the web.xml, I think Tomcat
> generates a 401 UnAuthorized response but then like a 404 custom error page
> redirect,  it redirects to the notauthorized.jsp instead of sending a 401
> response to the client.
> I think what you desire is something like this (correct me if I'm wrong):
> Tomcat should send a 401 response atleast 3 times (or more) and then
> display a "You are Unauthorized" page back.
> I don't know how to do this in web.xml. Maybe writing a wrapper or filter
> would help. Need to check the code that does Basic Authentication. I think
> it should have some clues. Craig McClanahan is the author of the code.
> Hopefully he throws some light on this topic. I know he's online :-)
>

:-)

Tomcat 4.0.1 had a problem with creating a custom error page for
container-generated status messages like a 401.  This was fixed in 4.0.2
and 4.0.3.

However, it's not going to do you any good if you are using BASIC
authentication -- browsers generally just pop up the login dialog box and
don't show the page that came along with it -- and there's nothing Tomcat
can do about that.  If you really want to control the look and feel of the
login page, you should use form-based authentication instead of BASIC.

> Thanks.
> RS

Craig

>
>
>
>
>
> [EMAIL PROTECTED] on 03/12/2002 09:33:47 PM
>
> Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>
>
> To:   [EMAIL PROTECTED]
> cc:
>
> Subject:  security-constraint and error-page
>
> I've setup a security constraint, with basic authentication, in a memory
> realm.  It works as expected until I add an error page for the 401 error
> code (unauthorized). Then, when I request the page, I get the 401 error
> page automatically and am never prompted to login.  I was expecting to get
> the 401 error page only if I supplied an incorrect login.
>
> What am I doing wrong?  (Win2000pro, Tomcat 4.0.3, jdk 1.4)   Here is a
> portion of my web.xml:
>
>   
> 401
> /notauthorized.jsp
>   
>
>   
> 
>   BrawnerLau Website
>   /adminentry.jsp
> 
> 
>   brawnerlau
> 
>   
>
>   
> BASIC
> BrawnerLau Website
>   
>
>
> Thanks,
>
> Jason E. Brawner
> Silenus Group
> (248) 735-8077
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: security-constraint and error-page

2002-03-16 Thread rsequeira



HAFAIK, when the webserver responds with a 401 Unauthorized error,
the browser shows up an authentication dialog box. But since you have
configured an 401 error page directive in the web.xml, I think Tomcat
generates a 401 UnAuthorized response but then like a 404 custom error page
redirect,  it redirects to the notauthorized.jsp instead of sending a 401
response to the client.
I think what you desire is something like this (correct me if I'm wrong):
Tomcat should send a 401 response atleast 3 times (or more) and then
display a "You are Unauthorized" page back.
I don't know how to do this in web.xml. Maybe writing a wrapper or filter
would help. Need to check the code that does Basic Authentication. I think
it should have some clues. Craig McClanahan is the author of the code.
Hopefully he throws some light on this topic. I know he's online :-)

Thanks.
RS





[EMAIL PROTECTED] on 03/12/2002 09:33:47 PM

Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>

To:   [EMAIL PROTECTED]
cc:

Subject:  security-constraint and error-page

I've setup a security constraint, with basic authentication, in a memory
realm.  It works as expected until I add an error page for the 401 error
code (unauthorized). Then, when I request the page, I get the 401 error
page automatically and am never prompted to login.  I was expecting to get
the 401 error page only if I supplied an incorrect login.

What am I doing wrong?  (Win2000pro, Tomcat 4.0.3, jdk 1.4)   Here is a
portion of my web.xml:

  
401
/notauthorized.jsp
  

  

  BrawnerLau Website
  /adminentry.jsp


  brawnerlau

  

  
BASIC
BrawnerLau Website
  


Thanks,

Jason E. Brawner
Silenus Group
(248) 735-8077


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>









--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

1 2 >

1 - 100 of 120 matches

Mail list logo